Recently I read “Click Here to Kill Everybody” by Bruce Schneier. I really recommend this book to anyone. It is not targeted to a technical audience, although you might enjoy it a tiny bit extra if you are familiar with cyber security.
In this post I want to highlight one of my favorite parts, where Schneier lists ten principles to secure our devices.
In chapter 6 What a Secure Internet+ looks like, Schneier lists ten principles vendors of Internet enabled products should follow for a safer world. I am transcribing these quoting them from my audiobook, so they may be inexact, but the spirit is intact.
- Be transparent. Vendors should clearly state how their security works, which threads they secure against and which they don’t. […]
- Make the software patchable. […] vendors also need to patch quickly, once vulnerabilities are discovered. […]
- Test preproduction. All software should be tested for security before it is released.
- Enable secure defaults operation. Devices should be secure out of the box, without requiring users to configure them.
- Fail predictively and safely. If a device loses its Internet connection it should fail gracefully, in a way that it does not cause any harm.
- Use standard protocols and implementations. Standard protocols are generally more secure and better tested, and custom protocols are the opposite. […]
- Avoid known vulnerabilities. Vendors should not ship products that contain known vulnerabilities.
- Preserve offline functionality. Users should be able to turn off all incoming and outgoing network connections while still being able to use the device. […]
- Encrypt and authenticate data. Data should be encrypted on the devices and communications to and from them should both encrypted and authenticated.
- Support responsible security research. Vendors should allow research on their products and welcome vulnerability reports, not harass researchers.
I like them all, but if I was pressed to choose one I think I would go with Enable secure defaults operation. For me, this is the principle that would have the biggest impact in my circle making my loved ones safer.
Do you have a favorite?
I hope to post a list, from the same chapter, for security principles for our data, not our devices.