Wednesday, March 08, 2006

Security Theater Examples

While I intend for this blog to include more than just issues related to security theater, in honor of the title, I want to mention a few examples of security practices that are more image than substance.

Security through obscurity
While there is some value to the concept "if attackers can't see me, they won't know I'm there to be attacked," it is misleading to think that any method used to hide a system, or traffic, or whatever else you are trying to hide, will provide any real protection. Take disabling the SSID broadcast in a wireless network, for example. While this may prevent some novices from finding you, any war driver who spends 15 minutes of their time reading up on wireless networks will be able to get that information using simple utilities.

I have a firewall, so I'm protected
Don't get me wrong, firewalls are pretty much essential in most networks (actually, I can't think of any exceptions at the moment, but I try to avoid generalizations). The misconception is that the perimeter firewall is the single device needed to protect your network. There are a lot of attack vectors out there, and not all of them involve Internet traffic coming into your network. Heck, not all of them even originate outside of your network. What about the user that brings in a laptop loaded with all kinds of viruses, spyware, and P2P applications, and attaches it to your network? Obviously, there are other methods of protection, including antivirus/antispyware software, IDS/IPS, email security products, network and remote access quarantine products, patch management, etc. I intend to go into greater depth on each of these options soon.

[Insert Product Here] will solve all our problems
Not to mislead you with the products I mentioned in the last category, most methods used to mitigate risk should start as a policy, not necessarily a product. Certainly, protection may be provided by a new security product, but only if it is implemented in a way that is consistent with the overall security posture of an organization. If you expect to just drop a security appliance onto your network and be instantly more secure, you will probably be disappointed.

The OSI model only has 7 layers
People who deal with security often focus on securing only the first 7 layers of the OSI model. They tend to forget about the 8th layer - people. If you aren't educating your users, and taking their actions into account when designing your security solutions, you are destined for failure. Also, expecting your systems to "catch" all user-created problems is underestimating your users. They are notorious for (intentionally or unintentionally) finding ways around your carefully crafted controls. Whether their intent is malicious, such as finding a way to steal sensitive data, or they are merely trying to open that funny email attachment that a "friend" sent them, the actions of users cannot always be anticipated. While you can design controls to catch the malicious users, you should also focus on educating the more "innocent" offenders.

That should do it for now. There are many more examples of Security Theater, so this may become a regular series of articles.



Post a Comment

Links to this post:

Create a Link

<< Home