EP 113 - SDP 9 Least common Mechanism
- S2E113
- 13:43
- January 5th 2024
In this episode, Kip and Jason cover the Security Design Principle of “Least Common Mechanism”.
The Lease Common Mechanism is the ninth security design principle and focuses on how you can best protect older, legacy systems in large organizations and within the government.
Security Design Principle #9 is a crucial concept in the field of cybersecurity. It advocates for minimizing the amount of mechanisms shared by different users or processes, thereby reducing the chances of a security breach. This principle is rooted in the idea that shared resources or functionalities can become potential vulnerabilities, especially if they are used by multiple entities with varying levels of trustworthiness.
The principle is based on the understanding that any shared mechanism or resource is a potential attack surface. When different programs or users rely on the same functionality or data paths, a breach in one can easily become a gateway to compromise the others. For instance, if a shared library has a vulnerability, every program using that library is at risk. Therefore, by reducing the number of shared components, the principle of Least Common Mechanism aims to limit the potential damage that can be caused by a security flaw or breach.
Implementing this principle involves designing systems where the functionalities are as isolated as possible. This can be achieved through techniques like sandboxing, where programs run in isolated environments, or through the use of microservices architectures, where applications are broken down into smaller, independent services. Each service or program having its unique mechanisms greatly diminishes the risk of a widespread security incident.
The principle also underlines the importance of not only securing shared resources but also constantly monitoring them. Regular audits and updates of shared components are vital to ensure they remain secure. In essence, the Least Common Mechanism principle is about understanding the risks associated with shared resources and proactively designing systems to minimize these risks.
Relevant websites for this episode
Other Relevant Episodes
- Episode 96 – SDP 1 – Least Privilege
- Episode 98 – SDP 2 – Psychological Acceptability
- Episode 101 – SDP 3 – Economy of Mechanism
- Episode 103 – SDP 4 – Compromise Recording
- Episode 105 – SDP 5 – Work Factor
- Episode 107 – SDP 6 – Failsafe Defaults
- Episode 109 – SDP 7 – Complete Mediation
- Episode 111 - SDP 8 – Open Design
Your Cyber Path: How to Get Your Dream Cybersecurity Job
The Your Cyber Path podcast is designed to help you find out what it takes to get your dream cybersecurity job (from the hiring managers' perspective). After all, it is the hiring manager you need to impress in order to land your dream role. Stop wondering what the hiring manager is thinking, and learn first hand from our team of professional cybersecurity hiring managers who can help you cut through the process and understand what it takes to get hired these days.
Meet the Hosts
Jason Dion is a former college professor and the lead instructor at Dion Training Solutions. He has multiple information technology professional certifications, including Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH), Certified Network Defense Architect (CNDA), Digital Forensic Examiner (DFE), Digital Media Collector (DMC), CySA+, Security+, Network+, A+, PRINCE2 Practitioner, and ITIL. With networking experience dating back to 1992, Jason has been a network engineer, Deputy Director of a Network Operations Center, and an Information Systems Officer for large organizations around the globe.
Kip Boyle is a husband, dad, entrepreneur, and experienced cyber risk manager. He founded Cyber Risk Opportunities LLC in 2015 after 7 years as the CISO of PEMCO Insurance in Seattle. As a captain on active duty in the US Air Force, he served in the Combat Archer and F-22 Stealth Fighter programs, where he was the director of enterprise network security. These days, he serves as virtual chief information security officer for many customers, including a professional sports team and fast-growing FinTech and AdTech companies. Over the years, Kip has built teams by interviewing hundreds of cybersecurity professionals. And now, he’s sharing his insider’s perspective with you!