Security: The Window of Exposure

Bruce Schneier has written an interesting analysis of dealing with security on the Internet as a business issue -and what that means in how we deal with it, in a company setting. It's a well written piece, and quite useful for those of us out there in the corporate world.

Change Over Time

[Lagos]

It's interesting to read some of the things Schneier wrote some years ago and what he's writing now. In Applied Cryptography, he seemed to argue that widespread and careful adoption of good crypto would lead to better security.

Now the point seems to be that system security is simply too complicated--too many issues, too many variables. And that system is secure.

Despite this sentiment, however, OpenBSD seems to be doing quite well....

And just a reminder--Less than a week before the RSA patent expires.

--

Lagos

Awareness vs. Protection

[Idaho]

Okay, so you can't be 100% safe. I guess most of us already knew that.

So, it becomes more important to know when you have been cracked (you will anyway, eventually) than to prevent it.

It looks like the future for products like Tripwire (detects system file changes and the like), Portsentry (portscan detection)and other 'security break awareness' products is bright.

Then, if you really want to be aware, directly send the important syslog-messages (like, people becoming root, portscanning detected etc.) to an old unused matrix-printer. Works great, since it is possible to erase your log-files (once you're root), but it's *real* hard to mess up logs that are on paper (without physical access to the site, that is)!

Process vs. Product

[alange1]

Schneier's conclusion is absolutely correct. The only safe system is powered down and disconneced, but then it is useless. Security is the process of managing the tradeoffs between risk and use.

Business Security

[Malevolent]

Personally, I believe that any business which doesn't implement security deserves everything it gets.

I worked for a company for almost a year which was in the business of website hosting/design. As I was fairly close to the servers, I knew that we were getting regularly port-scanned, our NetBios was wide open and had had a number of attempts to break in [obviously script-kiddies, since it wouldn't have been particularly hard, yet to my knowledge they never got anywhere!]

The boss was fully aware of these problems - and yet consistently refused to accept that at a very minimum we needed a firewall - even when we finally got it into his head that this was a necessity he allowed so little time for our linux guru to work on it that it was still not operational when I finally resigned.

This is the sort of attitude that seems to be prevalent in industry - the people in charge just do not seem to understand that basic security is a must. Had anyone penetrated the system, they could easily have put this company out of business - and I'm sure this is also the case for many others!

Unless businesses wake up, they will find themselves digging their own graves - and all for want of devoting a little time to something which, with all the media hype, is staring them in the face.

which came first?

[drfireman]

Bruce Schneier seems like a pretty conscientious guy in print. But this article just reads like a detailed ad four counterpane's services.

In connection with his new book (which I haven't read yet, because I'm still trying to find a good consultant to find me a morally upstanding bookseller), I wonder how much of his attitude is a necessary contingency of running a security business, or if that's why he started counterpane in the first place. I don't find fault with his presentation of facts, more with the sense of hopelessness he has conveyed in recent writing (I'm going mostly by articles, excerpts, and his crypto-gram newsletter).

Re:Change Over Time

[Anonymous Coward]

Somehow I doubt you've read Applied Crypto. You're just spewing back stuff you've heard from Schneiner lately.

Plus, the RSA algorithm has been public domain since September 6. How did you miss that story being the crypto expert you are?

While I agree OpenBSD is "doing well" in terms of security, there is a LOT more to security than running a "secure" operating system. He's not the typical Linux user who's only worries are stopping a couple losers from breaking into his krad linux box. He works for LARGE corporations who's security needs far outweigh anything the average person here could comprehend. Even you.

Punk

Re:which came first?

[PD]

His article might have that air of hopelessness. In fact, I think a recent book of his was held up because he was overcome with the feeling that his advice was just a lot of pissing in the wind. But I think that's the current situation. HaX0rz are out there and eventually they will get in one way or another. It's sound advice to recommend that clients not only lock the doors, but insure the contents as well. Maybe make a backup or two and put them in a safe place. Is that hopeless?

Fluff and puff

[itsbruce]

This article is pure fluff. There's no detail of how his new Managed security Monitoring works, how it "closes the window" when all others simply "narrow" it, he's just trying to sell his product. I thought most competent sysadmins monitored their security? His house insurance metaphor is invalid. It's one thing to insure against the risk of burglary, knowing that you can use the insurance money to buy equivalent items. But data is different - there is no equivalent to your own data. A cracker can steal your data and do you damage without your knowledge - since the data is still there. A cracker can distort your data so that your future work will be based on incorrect information. A cracker can use your network as a base for other attacks. For the two situations to be analogous, burglars would have to be in the habit of breaking in and reprogramming your microwave to poison you, or invisibly setting up a base in your attic to launch burglaries on your neighbours. The integrity of data is so much more fragile than that of real-world goods that you simply can't treat it in the same (relatively casual) manner as you can house insurance. Whatever the answer is, this salesman doesn't have it and his sales puff shouldn't have received this free publicity.

Interesting MARKETING Document

[cryptwhomp]

Hmmm, and where can I get this wonderful managed security? Why look, Bruce himself sells it! What a happy surprise ...

Re:Change Over Time

[Zara2]

RSA already released thier crypto. It don't matter when the patent expires anymore.

Mea Culpa of a Kikes?

[Kuja]

i like Cryptogram pretty much, but this last Schneier piece seems like a 'mea culpa' about the failure of his 'math utopia'. i'm still in the full disclosure side. full disclosure (plus the security 'process', apud Schneier) is the less wrost solution. like democracy, you know?

Re:which came first?

[drfireman]

"HaX0rz are out there and eventually they will get in one way or another...Is that hopeless?"

Well, if you don't mind a little freeform juxtaposition, then yes! The real question is whether or not it's excessively hopeless, and I think the answer is yes there too. Security isn't easy, but it's possible to restrict risk to acceptable levels. I agree that backups and insurance are also important. But anyone who doesn't have these already knows they're incompetent.

And the insurance really shouldn't be so expensive for anyone who is conscientious about risk. To put this a little differently, I wonder how an insurance policy would sell if it had two tiers of coverage, the lower of which kicked in if it were found that at the time of the incident a relevant patch more than five days old was available. Well-run organizations would be happy to buy it, poorly run ones would have to stick with the expensive stuff.

Seen this sort of thing before

[phil reed]

This is a pretty typical corporate "white paper", which is part analysis and part advertisement. When he writes about the "window of vunerability" he's dead on, but when he starts going on about his corporation's product, it starts to sound a bit hyper.

And, I'm not sure that quoting Lloyd's of London is necessarily the best thing. Lloyd's has had some significant hits from bad insurance policies recently.


...phil

This isn't anything new

[Wonko the Sane 42]

It's not like people don't *know* that there isn't any such thing as an inhackable system, because there isn't. It's like trying to make something idiot-proof. The problem is that somebody out there is going to approach it differently than the person that designed it. Essentially, that's what people that design security systems do. They start with something, start trying to think of all of the holes they can. But people aren't omniscient and they'll miss things. That's also why I lot of security organizations and government institutions look to the prisons for "reformed" hackers to look over their code and try to break it. But even there, there's always going to be a way through. They can say that a system is more solid because they alarm the systems, but it didn't say anything about how they do it. I mean, what's it supposed to be doing that any different from any other system when a user enters the system? It seems like this was more of a teaser than a truly informative review.

Re:Business Security

[The Dodger]

when we finally got it into his head that [a firewall] was a necessity he allowed so little time for our linux guru to work on it that it was still not operational when I finally resigned.

This is a very common problem. Many organisations are not as secure as they should be because they are underresourced, technically.

Security is often regarded as being the responsibility of the systems engineers/administrators. However, day-to-day business often places a higher priority on non-security-related engineering and admin jobs than security, and this can mean that security-related work, which does not have an apparent immediate urgency (unlike, say, getting a new mail system implemented or something like that), unless a security breach has recently occurred or is in progress.

As a result, the IT staff find themselves under pressure from the business groups, and security ends up sliding to the bottom of the "to do" list.

In essence, this is a management problem, which can only be solved by putting in place stringent security policies (e.g. "Yes, the new mail system is working, but it has not been passed as secure, so we are NOT putting it live, and I don't care how crucial it is to your quarterly comission that you are able to send attachments larger than 2MB...") and proactively allocating resources to security.

Changing terminology is important

[rjh3]

Changing the terminology used is vitally important, and articles like these help change the terminology. The use of words like "secure system" mislead the public into thinking that such things exist. Changing the terminology to terms like "takes longer to crack" generates the right thought processes. Systems will be broken. It is merely a matter of how long and how hard people try. This leads to the next important part of the thought process. How to detect breakins, how to reduce loss during breakins, etc.

Talking and thinking in these terms has importance far beyond securing your own system. It affects how users think about their participation and actions. It affects how law enforcement thinks about their reactions. It affects how legislators think. Right now they act like there is some sort of magic fairy dust that you sprinkle on your technology and poof --- an impenetrable secure system. The result is devastating losses when (often inadequate) security processes fail.

Crypto-gram

[Leto2]

For those who find articles like this interesting, I suggest they subscribe to Bruce's Crypto-gram [counterpane.com], a montly newsletter that covers topics like this.

Actually, this month's episode, which came in the mail this morning, talks about the same windows of exposure.

I can hartly recommend this newsletter to everyone!

Ivo

Interesting but -far- to theoretical

[Lion-O]

Looking at the problem as one of risk management, detection and response are far more effective security tools than prevention can ever be. And Managed Security Monitoring is the most cost-effective way, as well as the most effective way, to reduce the risk of financial losses due to network attacks.

Sounds nice if you stay within the range of companies this article is focused on. But it sure will not do for every organisation out there. Allthough he stated this himself (For example, it makes no sense to purchase a $10,000 safe to secure $1000 diamond...) I'm surprised to see this in his final conclusion. For a small business the costs to maintain a M.S.M. system is far more expensive and has much more overhead then a solution based on prevention. Lets take this into 'normal proportions' and try some real life examples...

M.S.M. would take a system to track the entire stuff, a network operator (or more offcourse) to monitor the readings and take action once something is happening. Perhaps he can do this besides his normal work but that would reduce the whole effectiveness I guess. Is this effective? Sure, but don't look at the costs of this solution. To put it blunt; if I wanted something like this I'd go broke very soon.

When I compare this to setting up a masquing proxy & firewall with some "low-end" solution like ipchains (prevention), making regular backups (even more prevention) and finally having some very good insurances it becomes quite clear which is the best solution for SOHO's and up. When an attack is made it sure took 'm some time to breach my firewall. If that happens and I loose data I got backups and when they fail (unlikely) I'm still way off from going broke since my immediate costs to reduce the damage are covered as well.

Therefor I think that globally concluding that M.S.M. is the most cost-effective way, by standard, is not true.

Network Security System Administration

[C0VERTl]

My take on this article. Yes, security is a process, not a product. This process is handled by a system adminstrator that knows what they are doing. there are solutions, I believe in Virtual Private Networks, Encryption (what good is stolen company data if it takes 60 days to crack it?), self-destructive files, it is all a matter of proper adminstration. Most businesses will buy the insurance, and forget the security process - "thats what we got insurance for!" will be the new buzzword. both businesses and users should be responsible for their security. C0VERTl www.covertlinks.cjb.net

Re:Changing terminology is important

[Lion-O]

The use of words like "secure system" mislead the public into thinking that such things exist

If people are fooled by names like that then they have no business within the security sector and should not bother with it IMVHO. After all; rule one is knowing what you are talking about, and this isn't just the case for security issues.

Secure Systems are possible

[kmem]

I believe that secure systems *ARE* possible. And when I say secure systems I mean ABSOLUTELY secure systems. A computer is a finite machine. There are only so many possible states my PC can ever be in. There are even less possibilities for my palmpilot. Granted it boggles the mind to contemplate EVERY possible state of a modern PC -- but the set *IS* finite. I repeat: IS FINITE.

Whether or not it is financially possible to create a 100% secure machine should not be cause to abandon the idea and leap towards compromise. A beautiful example, is of course, OpenBSD -- the pursuit of an absolutely secure system *DOES* result in a more secure system. I'd take OpenBSD out of the box over any commercial UNIX with all the vendors' "window-limiting" products any day!

If your goal is a secure system -- then it is possible (even if unlikely) to create a secure system! If you goal is something else (profit, chrome, popularity, enlightenment, whatever..) then it probably isn't. SO, if YOU are trying to create a secure system don't let someone with another goal get in your way! (accounting firms, authors, vendors, users, managers, whom/whatever)

There is nothing abstract about system security -- and intentionally abstracting it to liability management or limiting window time is a lie -- even though it may be a white one.

This is analysis?

[Kaa]

Come on! Bruce Schneider is a Good Guy, but this is not analysis -- this is a marketing blurb.

The idea of moving from blocking threats to risk management is an old one and quite recently there was an article on Slashdot about Bruce coming to this conclusion. Not to mention that he published a whole book where he talks in detail about it.

I like Counterpane, but is it really necessary to put every press release of theirs on Slashdot?

Kaa

Re:Business Security

[guran]

You know what, in a sense your boss was right.
Nobody succeded in their attempts to break in, so any money spent on more security would have been wasted.

Rather than being stupid one could argue that your boss took a gamble (the current state of security will suffice) and won.

(OTOH buying a firewall without spending enough time to get it to work properly... THAT is stupid. He just wasted the money spent on equipment without getting any better security in return)

The article was right. The goal of most businesses is not to have maximum security, but to spend *just enough* time and money on it.

Re:Crypto-gram

[Tower]

>I can hartly recommend

hardly or heartily? I'm guessing the second.
</nit>

--

Re:Change Over Time

[rnturn]

I understood that the patent actually does expire in around a week so the poster you responded to was correct. The RSA algorithm was indeed released and made public domain early. Perhaps because the patent holders thought there was some PR value in doing so. Who knows...

Cheers...
--

Re:Secure Systems are possible

[Goonie]

If your goal is a secure system -- then it is possible (even if unlikely) to create a secure system!

Define secure. Secure against guys from a TLA coming round and beating the information out of the sysadmin?

What you can actually do is assess what threats you wish to defend against, what compromises in usability and other functionality you are prepared to accept, and design a system that provides defenses against the expected threats.

Re:Change Over Time

[a_n_d_e_r_s]

Bruce is not saying that good crypt are not a good thing. He is saying that good crypto is just the first step to securing a system.

You must also make sure that whenever a break-in happen that the inpact is as low as possible. By making the exposre as shorts as possible you can minimize the risk of complex systems. A computer system is so complex that it is practically impossible to ensure that it is 100% safe. The goal must be to have strong crypt AND ways to make sure that a single fault do not leave the system wide open. So that the security risc is as low as possible.

Security Management in the real world

[Anonymous Coward]

I worked my way through College as a "Security Consultant." No, this wasn't a computer job, I drove a Locksmith truck.

Security in the real world is seldom measured in absolute terms. Locks, Cryptography, anything a person can put together, by DEFINITION can be taken apart by another person.

We used to say, "Don't put a $100 lock on a $20 door." Most security was not broken by breaking our locks, but by bypassing them. A strong lock on a strong door, next to a window. A back door with flimsy panels. And, when the price was good enough, an axe to completely destroy the door of a liquor warehouse.

Most people had nothing this valuable to steal.

Security only makes things HARDER to circumvent. For "little" secrets, a "little bit" of security is enough. For bigger ones, more security.

Look at history once in a while. Some of the greatest "Security Devices" in the world were the great pyramids in Egypt... hacked.

Security through obscurity? The only tombs from ancient Egypt that were never ransacked were the ones that were never found. Obscurity can be your friend.

Remember that the strongest ciphers and the best locks in the workd buy ONLY one thing. Time and difficulty from the people that you are protecting against. Its reasonable to use weak cryptography for things that are weak secrets. My credit card information is simply not worth several mips years of cracking. It would be good for ONE moderate purchase, then cancelled.

Strong locks, strong crypto, are both expensive. It is important to fit the worth of the secret to the strength of the lock, then manage when (not if) some breach occurs.

wobbly@angel[nospam]fire.com

go bruce go

[The_Messenger]

Bruce has gotten an amazing amount of exposure lately. Has anyone else noticed that? I can think of half a dozen news stories (on Slashdot and elsewhere) that have born his name as a source, just in the last two weeks. He was even on NPR, being interviewed for one of the countless Napster/MP3 stories, talking about the Street Performer Protocol. I'm a fan of Bruce's well-known crypto book [wiley.com], but I've never heard his name in the mainstream press before August, so it's sort of weird.

---------///----------
All generalizations are false.

Re:Secure Systems are possible

[kmem]

> [snipped]
> ...and design a system that provides defenses against the expected threats.

Expand your expectations. Get *LOTS* of people together listen as they expand their expectations.

Bruce didn't address responsibility

[Jeffrey Baker]

This article was a nice way for Bruce to pimp Counterpane's network monitoring service. He uses his stellar reputation to advise people that they need his services. Brilliant. He's spot on the money of course, but he didn't address an internet company's responsibility to its customers. I believe that if a company with operations on the internet discovers that their system has vulnerabilities, and these vulnerabilities are likely to be exploited, and the exploit would likely cause harm to their customers, then the business must shut down the operation to remove the vulnerability.

Unfortunately, I've never heard of a business actually using this policy. All of them, including banks, brokerages, and the rest, are so greedy that they continue operations even with major vulnerabilites. Worse, they do not tell their customers that the vulnerabilities exist. In fact, they typically have shiny marketingware which extolls the security of their systems. Hackers and crackers are the only people aware of the vulnerabilities in the meantime.

In a system that I am building at work, I am including a "scram" function which provides central control for shutting down all network operations. Hopefully the scram combined with they type of intrusion detection system that Bruce outlines, will help me uphold my responsibility to my cusotmers.

Re:which came first?

[snookerdoodle]

What is more, Counterpane does not really offer a turnkey product - they have a list of supported firewalls and intrusion detection products, and if you don't fit their mold your s.o.l. to use their services.

Perhaps the direction their headed will be to offer a one-stop-shop: "send my $$$ per month, we'll provide and manage and monitor your network."

I basically agree with his latest conclusions and you have to admire his mea culpa regarding "Applied Cryptography"...

Commercial firewall vendors.

[shippo]

At a previous place on employment a division was formed to deal with various internet aspects. They sold firewalls, and picked companies with no technical staff, so that they could support them remotely.

To save a long anecdotal rant, the team, particularly the head of the team, were completly incompetant. Things didn't work, projects ran over budget, and serious holes (open relays) were left in place. Some projects would take weeks to complete, and he would not let them know their own firewall passwords.

The silliest aspect was that he believed that by adding a second NIC to a server, 2 processes could then listen on the same port on that machine, one on each NIC.

He also installed our firewall (previously we relied on a router with really severe port filtering rules in place). FTP from a browser was broken for 6 months, despite promises to fix it, until someone on my team got hold of the firewall password and fixed it himself.

They moved to exploiting another market, leaving a handful of broken installations with no effective support. They now sell web servers, and believe that the best web server product is Lotus Notes! Says it all, really! And they IPOd earlier this year. Not on f*ckedcompany.com yet.

The moral - even so-called security experts can be utterly hopeless.

Arguments for REACTIVE management

[redelm]

This article was very interesting since it is one of the very few that argue for reactive management. All the biz buzzwords these days are for proactive management, ie, prevention.

One this I didn't see in the article is a rational discussion of costs. There are the obvious costs of security (administration) and insecurity (theft and fraud). But there are also much less obvious costs from lost business. These can be several times greater.

Lost business costs can come from both excessive (preventative) security, and from insufficient security. Excessive security is a hassle, and deters customers. Perceived low security might also deter customers if they fear they will lose something valuable (credit card numbers? data).

I think in any business security discussion, ALL these costs must be considered, not just the easy, hard $.

Re:Awareness vs. Protection

[Cirvam]

But if its just to a printer then the cracker could just tye /dev/random to the printer and spew out tons of crap or they could possibly send command to the printer that would make it jam and just print over the same stuff.

Re:Interesting MARKETING Document

[munch117]

Hmmm, and where can I get this wonderful managed security? Why look, Bruce himself sells it! What a happy surprise ...

Of course. He

1. Analyzed the problem and realized that managed security was the way to go.
2. Created a product that does just this.
3. Wrote an article based on his analysis.

Ok, so he could have chosen to do step 2 and 3 in reverse order. (Actually, maybe he did and we just didn't notice?) But that doesn't invalidate the analysis. Nor the product.

/A

Wait a sec...

[PHAEDRU5]

Isn't this the guy who had no hope to offer us? [slashdot.org]

Got it right here (Re:Secure Systems are possible)

[GrimJim]

Just unplug the box from everything, including the power. Short of physical intrusion, the box is now secure. Anyone who'd done any software validation knows that validating a program is bug-free is hard and not guaranteed. Security is akin to a bug. Geez.

Re:which came first?

[Animats]

But this article just reads like a detailed ad four counterpane's services.

It sure does. The article says that "outsourced Managed Security Monitoring" is the answer. Now click Our Solution [counterpane.com] at the bottom of the page to read about Counterpane's "outsourced Managed Security Monitoring".

This sort of thing protects against script kiddies, not serious attackers who are trying to steal something of value.

Too Expensive!

[rmckeethen]

I talked with Counterpane about 6 months ago about monitoring service for the company I worked for then. While I will admit that I wasn't very interested at first (we talked with them because the brother of one of our sales reps worked for Counterpane) I was intrigued with the idea of out-sourcing some of the security burden. As anyone who has had the pleasure (pain?) of managing an Internet start up company's network will tell you there is never enough time to do most things 'right', least of all securing the network against intrusion and attack. So the idea of external monitoring was interesting, at least until we actually sat down with the sales reps from Counterpane and asked about pricing...

As I recall, and please remember that it has been awhile so my numbers may no longer apply, Counterpane's minimum service offering was $25,000 monthly for one detector box and 24/7 monitoring. I wanted to laugh when I heard that figure. And they were never able to satisfy my requirements for dealing with DoS attacks (the monitoring boxes did not have any type of fail-over access though they did promise "It's comming in just a few months...").

Until the prices come down I can't see their service being useful for any but the largest and most heavily trafficed Internet e-commerce sites. And even then only as a backup to in-house monitoring efforts.

Re:Business Security

[nanun]

I agree, fully. I recently left an insurance company that believed installing a firewall without designating a qualified, diligent administrator solved all its network security problems. Oh, BTW, their Shiva LANRover drills a hole right through the FW-1 box. At least one sysadmin there reads /., so I hope you guys can get JW to take his head out of the sand.

I now work for a bank where my responsibilities include network security review and evaluating intrusion detection products. (Currently playing with Axent's NetProwler.)

Schneier is right about the importance of efforts before and after the fact. Intrusion detection and response are as important as any preventive efforts.

-----

Re:Change Over Time

[burrows]

Go to Amazon.com. Search for Bruce's new book, entitled "Secrets and Lies: Digital Security in a Networked World" ISBN 0471253111. Click on "See all editorial reviews..." Scroll down to find the posting by Bruce Schneier himself. Here he explains the change in his security approach. Then scroll back up to the top, click "Add to shopping cart", fill out an order, and wait for it to arrive. Actually read it. He explains even better in the actual book. You will be able to read it fairly easily, as it's not so complex as the first 10 pages of Applied Cryptography that you managed to fight through before deciding that it was just too hard, like reading bugtraq, and giving up on it.

Re:Change Over Time

[jon_c]

Despite this sentiment, however, OpenBSD seems to be doing quite well....


i I think OpenBSD doesn't cracked much because no-one actually runs it. it's "that really secure OS", but we need mainstream software to run on our OS, so we're going to use FreeBSD or Linux.

MacOS is also revered to be to secure the DOD, It's security through obscurity.

-Jon

Re:Business Security

[mjh]

In essence, this is a management problem, which can only be solved by putting in place stringent security policies (e.g. "Yes, the new mail system is working, but it has not been passed as secure, so we are NOT putting it live, and I don't care how crucial it is to your quarterly comission that you are able to send attachments larger than 2MB...") and proactively allocating resources to security

Wow, I think you really missed one of the points of that article. The generation of commisions is also a generation of sales for the company. To say that security out ranks sales for the company is short sighted. Now, to be sure, sales shouldn't blindly outrank security either. But one of the critical points in the paper is that when thinking about security for businesses, you're providing a benefit to your company if you only look at removing risks. You need to look at risk management. Which means all 3 of the following:

1. accepting risk - risks are acceptable when the cost to transfer or avoid is higher than the cost of incurring the risk (e.g. I will drive on the highway, despite the risk of accidents. This is necessary because I have to work to feed my family.)
2. reducing risk - risks are reduced/avoided when the cost to reduce them low in comparison to the cost of incurring the risk (e.g. I will drive at reasonable speeds and drive with a constant vigilance towards other unsafe driving practices. I will wear my seatbelt. I will invest a little bit more in a safer vehicle).
3. transfering risk - risks are transferred when you pay someone else to take them if they occur (e.g. I will buy car/health/life insurance).

Simply banning the installation of a mail server because it hasn't been passed "as secure", might just be the best solution. But it may be the worst solution. If not having that mail server available costs the company their business, then not installing it is actually a bigger security threat than installing it insecurely. In short, there's got to be more to it than the overly simplistic example that you gave.

And that's one of the points of the article. That security isn't a thing. It's an activity. You have two choices:

1. Delude yourself into not thinking there's any risk.
2. Realize that risk is a constantly changing and morphing thing, and appropriate response must also be constant and morphing.

Failure to do the latter on a constant basis is the same as doing the former. But the only reasonable way to do the latter is to accept some risks, avoid some risks, and transfer some risks.