Minimum Viable Security
What is the bare minimum amount of work that can be done that can be considered making a system more secure? What items must all individuals, all organizations, and all systems address in order to improve security? I often tell people that security is not one-size-fits-all, but what is the one-size-fits-most equivalent? What is the 20% of minimum viable security implementation that will address 80% of vulnerabilities?
In 2006, NIST released special publication 800-69, Guidance for Securing Microsoft Windows XP Home Edition, a series of recommendations on how individuals could secure their home computers. Weighing in at 175 pages, it was not for the faint of heart. If you stick with it until Appendix A, you’ll find this interesting quote:
Appendix A contains step-by-step instructions for implementing the most essential recommendations for securing Windows XP Home Edition computers.
After eight full chapters of detailed recommendations, a list of six simple steps is provided in the Appendix, which can further be reduced to these bullets:
- Turn on firewall
- Enable automatic updates
- Install anti-malware software (with automatic updates)
- Create non-administrative user account(s)
For me, this represents the core of a concept I’ve been referring to as minimum viable security.
Minimum viable security is a concept borrowed from the concept of minimum viable product (MVP). At the core, the MVP concept means the product will contain only the minimum amount of effort invested in order to prove the viability of an idea. Take for example Uber, the smartphone app / transportation network startup. At first, Uber offered one application (on iPhone), and one transportation option (the black car). That was the minimum viable product to get their service off the ground. Now, the Uber app is available on iPhone, Android, and anything with a mobile web browser, and offers up to three transportation options – uberX ride sharing, black car, and black SUV. Uber didn’t need universal smartphone compatibility and three different transport options to launch… but they did need one app, and one transport. Otherwise, Uber would have just been a neat idea that was impossible to implement, like the Amazon Prime Air drones.
I think the above bulleted list might actually be close to true minimum viable security. There are a few items that I think need to be added, since all systems are not Windows XP Home Edition, and we’ve learned a bit in the last seven-plus years. So, add your suggestions in the comments over on the Security Musings blog and let’s see what else makes the cut.
Firewalls, patching, anti-malware, limited privileges… What else should be considered minimum viable security?
In my next article, I’m going to discuss the value of minimum viable security, and how the very concept of minimum viable security freaks out security professionals – including some of my coworkers.