The Cyber Moscow Rules: Trust no one. Trust no device.

Here's a great adaptation of the Moscow Rules to the world of security. Written by Bob Gourley for OODA Loop.

Consider these as “Moscow Rules for Cyber Operations”

• Do not trust your gut. Your gut is not used to the manmade creations of cyberspace. Instrument, measure, monitor and seek to confirm everything.
• Do not trust any single source of information. Seek multiple sources, especially sources from outside your organization.
• Design your cyber defense monitoring system to bring all sources together for analysis. This includes structured network and computer derived information and also unstructured feeds from advisory reporting, vulnerability reports, social media and specialized cyber intelligence feeds.
• Backup everything of importance to your mission, and keep unalterable logs. This will save you, again and again.
• Understand your actions are being observed. Your adversary is watching you watch them; you are never completely alone.
• Trust no one. Trust no device. Every device in your system is potentially under opposition control. Your computers, networks, VOIP phone, your Telepresence system, your laptop, tablet and even cell phone, are all potentially compromised. Architect your enterprise to ensure penetrated systems are detected, isolated and their comms grounded.
• Even in the complex heterogenous world of modern enterprise IT you can find boundaries and control points. Know where they are and how to leverage them to your advantage. Establish rules at every gate.
• Protect your most important information, but seek to lull your adversary into a sense of complacency.
• Don’t harass the opposition. You want to enhance your defenses and keep them out. You do not want to embolden/encourage hatred. You want them to go away. More than likely you are not good enough at defending your own enterprise to even think of doing anything offensive. Save that for the government.
• There are psychological dimensions of cyber operations. This goes for both your cyber defender team and the adversaries and should inform your plans.
• Keep your options open. Understand your adversary is a thinking, creative entity that will react and surprise you. The team you push out of your system may be replaced by a much more sophisticated team.
• Know your tradecraft and make sure your entire team does as well (many exemplars and best tradecraft practices are available, a favorite of mine is the community produced Consensus Audit Guidelines).
• Training and education of your workforce is important, but it will fail you. Even with all the training in the world your workforce will eventually be deceived by creative, determined adversaires. Know that right now a user somewhere in your organization is doing something they should not be.
• Be careful about outside consultants. The cyber defense field, unfortunately, attracts charlatans who assert that they have special knowledge of how to defend. The only way to vet experienced cyber defenders is to have either observed their past performance first-hand or to get first-hand reports by those you trust.
• Pick the time and place for action. Move fast to protect your most important info. Take actions to keep your adversary off balance. Build plans in well thought out ways to raise all other info defenses on your schedule.
• Understand the human tendency to forget about the threat as soon as the current attack has been mitigated. Do not fall victim to this cyber threat amnesia. When not under visible attack, study, prepare, and test your own defenses.

Remember:

"Trust no one. Trust no device. Every device in your system is potentially under opposition control."