Marisa Fagan’s comment helped me clarify an idea. We often see inappropriate spending on security, and frequently shrug it off with the acceptance that “at least they’re doing something, maybe next time they’ll get it right”. I am a proponent of accepting small victories, but if the “defense” is wrong, that is not a victory of any kind. For any challenge, we have a finite set of resources we can use to address it. If resources are spent on the wrong things, that is not “just” a waste of resources, it removes them from the pool and reduces (or possibly eliminates) what is available for valid solutions.
Danny pointed out a very real, but theoretical, threat. Some would call it a “movie plot threat”, but I am growing tired of that phrase. Risk analysis needs to consider a wide variety of risks, then categorize them and prioritize mitigations. Even unlikely attacks deserve to be considered in the process, especially if the consequences would be high. In the context of the post, I feel that it would be inappropriate to worry much about a potential threat when there are active attacks we are not adequately addressing. For example, you don’t see anyone in InfoSec focusing their efforts on traditional network security to address browser exploits, do you? That would be silly. Hmm, wait, we seem to be getting uncomfortably close to glass house syndrome.
(photo credit seier+seier , Flickr)Finally, Dave Kennedy’s comment included this gem: