{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2021-017.pdf"
    },
    "title": "Straightforward Rules for Perfect Cyber Security",
    "serial_number": "2021-017",
    "publish_date": "01-04-2021 07:06:00",
    "description": "Throughout several years, CERT-EU has been investigating thousands of cybersecurity incidents. These ranged from simple cases of phishing, through compromise of internet-facing IT assets, and up to highly sophisticated Advanced Persistent Threats (APTs). Based on this large volume of examples, CERT-EU has been able to perform a very careful and in-depth analysis of the underlying reasons that lead to these cyber-incidents.<br>Thanks to this groundbreaking, Human Intelligence powered research, CERT-EU managed to identify basic and straightforward rules that - once implemented - will allow anyone to achieve perfect cybersecurity in any organisation:<br>- Rule no. 1: Use only secure software.<br>- Rule no. 2: Install efficient filtering solutions.<br>- Rule no. 3: Allow users to perform safe actions only.<br>These rules are extremely simple to implement and do not require significant budget or resources. It is also trivial to ensure compliance requirements as well as save money on any other (completely unnecessary) security provisions.",
    "url_title": "2021-017",
    "content_markdown": "---\ntitle: 'Straightforward Rules for\u00a0Perfect\u00a0Cyber Security'\nversion: '1.0'\nnumber: '2021-017'\ndate: 'April 1, 2021'\n---\n\n_History:_\n\n* _01/04/2021 --- v1.0 -- Initial publication_\n\n# Summary\n\nThroughout several years, CERT-EU has been investigating thousands of cybersecurity incidents. These ranged from simple cases of phishing, through compromise of internet-facing IT assets, and up to highly sophisticated Advanced Persistent Threats (APTs). Based on this large volume of examples, CERT-EU has been able to perform a very **careful and in-depth analysis** of the underlying reasons that lead to these cyber-incidents.\n\nThanks to this groundbreaking, Human Intelligence powered research, CERT-EU managed to identify **basic and straightforward rules** that -- once implemented -- will allow anyone to achieve **perfect cybersecurity** in any organisation:\n\n- **Rule no. 1: Use only secure software.**\n- **Rule no. 2: Install efficient filtering solutions.**\n- **Rule no. 3: Allow users to perform safe actions only.**\n\nThese rules are extremely simple to implement and **do not require significant budget or resources**. It is also trivial to **ensure compliance** requirements as well as **save money** on any other (completely unnecessary) security provisions.\n\n# Technical Details\n\nThis section focuses on the practical, ready to use implementation of the general rules presented above.\n\n## Use Only Secure Software\n\nGenerally speaking, the term _secure software_ is used to denote designing, building, testing and deploying software so as to reduce vulnerabilities and to ensure the software\u2019s proper function when under malicious attacks [1]. The consequences of using software that is not secure could be dire [2], hence this should be absolutely avoided.\n\nHere are easy to follow, practical steps that would ensure that only secure software is used in an organisation:\n\n- Carefully choose commercial **software vendors that only provide secure, vulnerability-free software** -- for obvious reasons, it is inefficient (and insecure!) to buy software that is not secure or contains vulnerabilities.\n- When using community-supported or open-source software -- **ensure that the software is secure** before making a decision to deploy it. With open-source software, this is easy and can be done with a simple script, such as:\n\n```\n#!/usr/bin/env python\n\nwith open('source_code') as source:\n\tassert source is secure, 'Error: Source code not secure!'\n```\n\n- **Use only secure configuration**. Some software requires configuration after having been installed -- examples include web servers, file sharing servers, etc. To ensure safe and flawless operation, only a secure configuration must be used.\n- **Do not update** the software once it is installed -- **secure software does not need security updates**, which dramatically reduces maintenance and the total cost of ownership.\n\n## Install Efficient Filtering Solutions\n\nEven with the successful implementation of Rule no. 1, it is still possible that an organisation may be threatened by malicious external activities against their perimeter [3], such as spear-phishing, spam, DDoS attacks, and many others [4]. This is why our second identified basic rule is so important.\n\nIn order to entirely mitigate any such risks, the following steps need to be followed:\n\n- **Install basic, but efficient filtering mechanism** on the perimeter of your network. This mechanism needs to follow very basic filtering rules, such as this example SNORT rule:\n\n```\nblock any any any -> $my_network (is malicious?)\n```\n\nPlease note that filtering defined this way is **not blocking any outgoing packets**. This is intentional, as the **internal infrastructure is completely safe thanks to implementing Rule no. 1**, and no user action can endanger the security of the organisation thanks to the implementation of Rule no. 3 below.\n\n## Allow Users to Perform Safe Actions Only\n\nThe perfect security posture of an organisation would not be complete without proper user awareness and collaboration. Even with entirely secured software (Rule no. 1) and protected from any external threats (Rule no. 2), users' action could still inadvertently lead to disastrous outcomes [5].\n\nFortunately, there is an easy solution for this problem -- **users should only be allowed to perform safe actions**, i.e. only actions that do not lead to issues, problems, security risks, or data compromise or exfiltration. Any **other actions must be strictly prohibited**.\n\n# Recommendations\n\nThe recommendation is straightforward. **Deploy in your organisation rules 1 through 3 as soon as possible**, and enjoy a perfect cyber-secure environment!\n\nHappy April Fools' Day and stay safe (and sane)!\n\n# References\n\n[1] <https://study.com/academy/lesson/secure-software-definition-characteristics.html>\n\n[2] <https://insights.sei.cmu.edu/cert/2017/06/the-consequences-of-insecure-software-updates.html>\n\n[3] <https://www.redbooks.ibm.com/redpapers/pdfs/redp4397.pdf>\n\n[4] <https://sendgrid.com/resource/phishing-doxxing-botnets-and-other-email-scams-what-you-need-to-know/>\n\n[5] <https://www.helpnetsecurity.com/2019/10/08/internal-user-mistakes/>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>01/04/2021 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>Throughout several years, CERT-EU has been investigating thousands of cybersecurity incidents. These ranged from simple cases of phishing, through compromise of internet-facing IT assets, and up to highly sophisticated Advanced Persistent Threats (APTs). Based on this large volume of examples, CERT-EU has been able to perform a very <strong>careful and in-depth analysis</strong> of the underlying reasons that lead to these cyber-incidents.</p><p>Thanks to this groundbreaking, Human Intelligence powered research, CERT-EU managed to identify <strong>basic and straightforward rules</strong> that -- once implemented -- will allow anyone to achieve <strong>perfect cybersecurity</strong> in any organisation:</p><ul><li><strong>Rule no. 1: Use only secure software.</strong></li><li><strong>Rule no. 2: Install efficient filtering solutions.</strong></li><li><strong>Rule no. 3: Allow users to perform safe actions only.</strong></li></ul><p>These rules are extremely simple to implement and <strong>do not require significant budget or resources</strong>. It is also trivial to <strong>ensure compliance</strong> requirements as well as <strong>save money</strong> on any other (completely unnecessary) security provisions.</p><h2 id=\"technical-details\">Technical Details</h2><p>This section focuses on the practical, ready to use implementation of the general rules presented above.</p><h3 id=\"use-only-secure-software\">Use Only Secure Software</h3><p>Generally speaking, the term <em>secure software</em> is used to denote designing, building, testing and deploying software so as to reduce vulnerabilities and to ensure the software\u2019s proper function when under malicious attacks [1]. The consequences of using software that is not secure could be dire [2], hence this should be absolutely avoided.</p><p>Here are easy to follow, practical steps that would ensure that only secure software is used in an organisation:</p><ul><li>Carefully choose commercial <strong>software vendors that only provide secure, vulnerability-free software</strong> -- for obvious reasons, it is inefficient (and insecure!) to buy software that is not secure or contains vulnerabilities.</li><li>When using community-supported or open-source software -- <strong>ensure that the software is secure</strong> before making a decision to deploy it. With open-source software, this is easy and can be done with a simple script, such as:</li></ul><pre><code>#!/usr/bin/env python\n\nwith open('source_code') as source:\n    assert source is secure, 'Error: Source code not secure!'\n</code></pre><ul><li><strong>Use only secure configuration</strong>. Some software requires configuration after having been installed -- examples include web servers, file sharing servers, etc. To ensure safe and flawless operation, only a secure configuration must be used.</li><li><strong>Do not update</strong> the software once it is installed -- <strong>secure software does not need security updates</strong>, which dramatically reduces maintenance and the total cost of ownership.</li></ul><h3 id=\"install-efficient-filtering-solutions\">Install Efficient Filtering Solutions</h3><p>Even with the successful implementation of Rule no. 1, it is still possible that an organisation may be threatened by malicious external activities against their perimeter [3], such as spear-phishing, spam, DDoS attacks, and many others [4]. This is why our second identified basic rule is so important.</p><p>In order to entirely mitigate any such risks, the following steps need to be followed:</p><ul><li><strong>Install basic, but efficient filtering mechanism</strong> on the perimeter of your network. This mechanism needs to follow very basic filtering rules, such as this example SNORT rule:</li></ul><pre><code>block any any any -&gt; $my_network (is malicious?)\n</code></pre><p>Please note that filtering defined this way is <strong>not blocking any outgoing packets</strong>. This is intentional, as the <strong>internal infrastructure is completely safe thanks to implementing Rule no. 1</strong>, and no user action can endanger the security of the organisation thanks to the implementation of Rule no. 3 below.</p><h3 id=\"allow-users-to-perform-safe-actions-only\">Allow Users to Perform Safe Actions Only</h3><p>The perfect security posture of an organisation would not be complete without proper user awareness and collaboration. Even with entirely secured software (Rule no. 1) and protected from any external threats (Rule no. 2), users' action could still inadvertently lead to disastrous outcomes [5].</p><p>Fortunately, there is an easy solution for this problem -- <strong>users should only be allowed to perform safe actions</strong>, i.e. only actions that do not lead to issues, problems, security risks, or data compromise or exfiltration. Any <strong>other actions must be strictly prohibited</strong>.</p><h2 id=\"recommendations\">Recommendations</h2><p>The recommendation is straightforward. <strong>Deploy in your organisation rules 1 through 3 as soon as possible</strong>, and enjoy a perfect cyber-secure environment!</p><p>Happy April Fools' Day and stay safe (and sane)!</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://study.com/academy/lesson/secure-software-definition-characteristics.html\">https://study.com/academy/lesson/secure-software-definition-characteristics.html</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://insights.sei.cmu.edu/cert/2017/06/the-consequences-of-insecure-software-updates.html\">https://insights.sei.cmu.edu/cert/2017/06/the-consequences-of-insecure-software-updates.html</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.redbooks.ibm.com/redpapers/pdfs/redp4397.pdf\">https://www.redbooks.ibm.com/redpapers/pdfs/redp4397.pdf</a></p><p>[4] <a rel=\"noopener\" target=\"_blank\" href=\"https://sendgrid.com/resource/phishing-doxxing-botnets-and-other-email-scams-what-you-need-to-know/\">https://sendgrid.com/resource/phishing-doxxing-botnets-and-other-email-scams-what-you-need-to-know/</a></p><p>[5] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.helpnetsecurity.com/2019/10/08/internal-user-mistakes/\">https://www.helpnetsecurity.com/2019/10/08/internal-user-mistakes/</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}