Thursday, December 9, 2010

Comment induced follow up post

I love comments, and I should make them more often.  Three comments on one of my recent posts kicked a few thoughts free, so I’m dropping them here.
Marisa Fagan’s comment helped me clarify an idea.  We often see inappropriate spending on security, and frequently shrug it off with the acceptance that “at least they’re doing something, maybe next time they’ll get it right”.  I am a proponent of accepting small victories, but if the “defense” is wrong, that is not a victory of any kind.  For any challenge, we have a finite set of resources we can use to address it.  If resources are spent on the wrong things, that is not “just” a waste of resources, it removes them from the pool and reduces (or possibly eliminates) what is available for valid solutions.
Danny pointed out a very real, but theoretical, threat.  Some would call it a “movie plot threat”, but I am growing tired of that phrase.  Risk analysis needs to consider a wide variety of risks, then categorize them and prioritize mitigations.  Even unlikely attacks deserve to be considered in the process, especially if the consequences would be high. In the context of the post, I feel that it would be inappropriate to worry much about a potential threat when there are active attacks we are not adequately addressing.  For example, you don’t see anyone in InfoSec focusing their efforts on traditional network security to address browser exploits, do you?  That would be silly.  Hmm, wait, we seem to be getting uncomfortably close to glass house syndrome.
christiania, glass house, august 2007
(photo credit seier+seier , Flickr)
Finally, Dave Kennedy’s comment included this gem:
“Report: FBI arrests Holland America passenger for releasing ship's anchor”
which highlights a real battle we sometimes face.  We are all aware of “usability vs. security” challenges, this one is a “security vs. security” challenge.  Or maybe a “safety vs. security” challenge would be more accurate.  Sometimes you need to drop anchor, and fast.  It isn’t common, especially in a modern vessel such as the cruise ship in the story- but when you need the anchor down, you need it down.  Therefore, the harder it is to drop anchor, the “less safe” the ship may be.  In this case I do think there needs to be a level of security above “some drunk can drop an anchor”.  This kind of incident is a good study in risks, threats, probabilities and outcomes, and it is visceral enough to get people’s attention.