Dumb Security Ideas: Yeah, But They're Better Than The Rest
A popular story on Digg today has the title "The Six Dumbest Ideas in Computer Security". It has some good points but doesn't give enough consideration to the constraints, especially economic ones, that define the context in which many individuals and businesses have to make security decisions. At the risk of basterdizing Churchill, some of these may rank with the dumbest ideas in security but they are better than all the rest.
Take end user education for example.
The real question to ask is not "can we educate our users to be better at security?" it is "why do we need to educate our users at all?" ... Most of the problems that are addressable through user education are self-correcting over time. As a younger generation of workers moves into the workforce, they will come pre-installed with a healthy skepticism about phishing and social engineering.
Where do individuals get this healthy skepticism if not from education? The idea that one generation will not make the same mistakes as the previous generation is arguable at best. Besides, the only constant in IT security is that threats never stay the same. This idealized younger generation will have to stay ahead of new threats despite how savvy they may think they are about today's threats.
Another example of a dumb but pragmatic idea is patching.
In other words, you attack your firewall/software/website/whatever from the outside, identify a flaw in it, fix the flaw, and then go back to looking. One of my programmer buddies refers to this process as "turd polishing" because, as he says, it doesn't make your code any less smelly in the long run but management might enjoy its improved, shiny, appearance in the short term. In other words, the problem with "Penetrate and Patch" is not that it makes your code/implementation/system better by design, rather it merely makes it toughened by trial and error.
A lot of software sucks from a security perspective, so what do we do? Should a business that needs to run a database not run the dbms because even with regular patches, they are still finding serious flaws? Sure, in the ideal world, we'd have a secure, high performance database. We don't live in an ideal world. We can either dump our databases and claim "we're secure" or we can apply the patches the vendor sends out every quarter.
Sure there are other ways to attack patched systems. So what? I can put a lock on my door and fix a broken window and it won't stop someone determined to break into my house. It does make it harder and that's the point. We don't need total security but we need enough to make the cost of breaking in greater than the value of breaking in. That's basic economics and we can't run around pontificating on how dumb patching is without taking into the context the broad context in which these applications and the businesses that use them function.
Email This!
Digg it!
Sphere it!
Del.icio.us
Reddit!
Newsvine
