Dan Geer is a voice in the IT Security world that should be listened to, and he has co-authored a short but intense article in the IEEE S&P Cleartext column that addresses the reality of the rapidly-changing threats that we all face.
“Stand Your Ground” has a few key messages, which I’ll try to summarise :-
- Minimise the number of targets; stop adding new services without effective defences, remove old services. Use the savings to fund better security for what remains.
- Distrust the internal network; distrust any service that is not continually verified. Defend against outbound traffic as well as inbound traffic.
- Do not assume perfection is possible; plan for failure modes that reduce services sensibly. Reduce the time-to-repair with automation instead of extending the mean-time-between-failure.