INVITATION TO CYBERSECURITY 224 and the principle of simplicity would caution against automatically assuming it is the better choice. More cyber risk is assumed by choosing it. The other issue with complexity is that it is difficult to correctly implement complicated things, and bad implementations are potential security vulnerabilities. For example, security policies should be as simple as possible. Every extra step and extra clause in a policy is an opportunity for errors to creep into the process. Section 2.9 of the ACM Code of Ethics even treats this as an ethical mandate in stating, “Computing professionals should discourage security precautions that are too confusing.” The same is true for technology tools and software. Simple and straightforward tools are more likely to be secure than complicated and unclear ones. We also saw this principle in Section 7.4.3 on cryptography. The best cryptographic algorithms are marked by an elegant simplicity. They are easier to understand, implement, and use. As a developer of tools this principle argues for secure defaults because users that do not understand all the options and their implications are more likely to accept the defaults. Simplicity also has implications for data retention. Data retention is the practice of storing data. On the one hand, the more data the better—one never knows when it might come in handy someday, and data storage is cheap, so why not just hang onto as much as possible for as long as possible? But more data means more complexity. It requires more resources to monitor and safeguard. It also means a bigger fallout if a data breach or doxxing attack occurs. The principle of simplicity would suggest that data storage should be minimized. An organization should only keep the data they know they will use and only for as long as it is useful. Older data should be purged. Like all cybersecurity decisions, this comes at a cost, but it limits the exposure data poses. Complexity is inherent in cyberspace, but simplicity should always be pursued to the extent possible. 9.1.5 Weakest Link “A chain is only as strong as its weakest link.” - Popular saying There is an asymmetry in cybersecurity that benefits the attacker: cyber defenders must protect everywhere at all times, but cyber attackers only need to find one opening at one point in time in order to succeed. The weakest link principle states that hackers will take the easiest path towards accomplishing their objectives. As they survey an organization, they might notice multiple angles of attack, but they will always pursue the easiest one. This is not because attackers are lazy; it is because they are smart. They will not take more risks and work harder than necessary to accomplish their goal. The weakest link principle derives its name from the picture of a chain with multiple chain-links. As more and more weight is added to a chain, it will eventually break and always at the point of its weakest link. This principle is helpful for cybersecurity because it can be used to prioritize defensive measures. It is more efficient to invest in identifying
RkJQdWJsaXNoZXIy MTM4ODY=