Rethinking Security: Securing Activities Instead of Computers 55
An anonymous reader writes: Security is not a property of a technical system," says independent security consultant Eleanor Saitta. "Security is the set of activities that reduce the likelihood of a set of adversaries successfully frustrating the goals of a set of users." But software development teams that understand what users want and what adversaries they face are very rare. And security engineers forgot — or misunderstood — what their job is: not securing computers, but securing activities that lead to the realization of greater goals.
Security is a property of a technical system... (Score:1)
Security is a property of a technical system, and may be increased with a set of activities.
So in otherwords (Score:1)
What's next, promote synergy?
After skimming, reading and confusion. (Score:3, Interesting)
After reading the 'article', I am not sure what is being said or the point is for that matter. I don't understand WTF is being said.
"A threat model is a formal, complete, human-readable model of the human activities and priorities and of the security-relevant features of in-scope portions of a system," Saitta defines. "An engineering tool that will help use define what we are trying to get the system to do."
Huh? That sounds like a REAL fancy way to say social engineering.
In my years in this shitty fucking business, there are a lot of BS artists who get away with bullshit because the IT/engineering industry is almost exclusively filled with people who are afraid of appearing 'stupid' to say he looks naked and charlatans get away with selling shit. The Emperor may have no clothes, but everyone is too afraid to appear stupid or have some arrogant asshole say, "You don't belong here!" because HE thinks there are clothes.
Is this article different? I don't know.
independent security consultant Eleanor Saitta
Ah 'consultant'.
Re: (Score:2)
In my years in this shitty fucking business, there are a lot of BS artists who get away with bullshit because the IT/engineering industry is almost exclusively filled with people who are afraid of appearing 'stupid' to say he looks naked and charlatans get away with selling shit.
Lol @ that. I'm not one to say it's a shitty business because I actually enjoy what I do. Putting aside the skillset and experience required to build secure applications and systems there is still lots of extra time required to do so which translates into $$$$ or late delivery. The biggest problem with security is ignorance. People at the top of the food chain within or outside tech departments tend to see it as an unneeded expenditure until they get hit (E.g. Sony).
It is our responsibility (the techs and t
Re: (Score:3)
The funny thing is that back in the 80s, every company that used computers thought of this. Back then, diskettes and other media was notoriously unreliable, so even the accounting firm had a grandfather/father/son backup rotation system in place, with tapes/disks going somewhere offsite.
Sensitive data had some form of PW protection. Because someone had to have physical access, usually basic physical access controls worked. Then the fact that very often, the "computer" in use was a terminal, which likely
Re: (Score:2)
I have different concerns with that article.
No. "Security" does not exist. You can be MORE secure than X or you can be LESS secure than X but you cannot achieve "security".
For me, being MORE secure means that fewer people can successfully attack you
Re: (Score:2)
The security industry is full of "thought leaders" who spout off opinions and forecasts.
There are no real credentials necessary to earn respect, because the infosec industry has historically mistrusted formal education.
So, we get people with little or no computer science education who just make stuff up. The people who know less talk louder and tweet a lot. The infosec press loves it. It's all really just marketing for infosec vendors.
Re: (Score:2)
Eh, in every forum I frequent where there are "big names", those big names got to be where they were precisely because they were social climbers. Or, if you like, attention whores. That's why the people with little competence get so much attention: because they have the time and energy to get people to pay attention to them.
And in principle, there's nothing wrong with that. You want to be praised for the good work that you do, you should spend a little time on your hustle game making sure people know wh
Venn Diagram (Score:1)
There's a Venn diagram in the article. I think we better listen to the author.
Adversaries Vary (Score:1)
Nobody can predict what kind of extra, para and non legal adversaries a set of business processes face during their lifetime. Mapping the risk and reacting to legal adversaries is also called "keeping up with the society" and "reading government bulletin boards, newspapers and publications." In other words, a cubic fuckton of sets of activities inside sets of activities strictly inside unbounded fuzzy sets of adversaries.
Double Speak 101 (Score:1)
Take a word and mince up the definition, and call it something else. Security is not a thing that people can do, it's things people do to stop other people from accessing things... Sadly people pay to drink this kind of KoolAid.
Re: (Score:2)
Pretty much. I suppose that's what keeps people in repetitive jobs though.
Re: (Score:1)
I have to agree, and if they weren't expecting Cherry and tested against Tropical Punch (ok, too much Kool-Aid metaphor )
Unfortunately we get legal departments involved and everybody becomes "risk averse" so nobody will take ownership of the truth. (flashback to Cruise / Nicholson, and another Kool-Aid tie in) Truth, you can't handle the Truth!
Here is my shot at Truth: Strong biometric authentication is the only solid machine / human authentication available today.
Re: (Score:2)
Strong Biometrics are too expensive to be feasible for the majority of businesses, and depending on what you are accessing a huge privacy concern. I have forged Biometric data, and know plenty of other people who have done the same. If I can spoof systems access at a facility, I can commit a crime and leave your fingerprints at the scene.
Read TFA and she is correct with much of what she says. I only take issue with the double speak. Security is a point where a whole lot of things have to meet.
Re: (Score:2)
Security is a point where a whole lot of things have to meet.
Indeed. Security is not passive. It's active. And it should be drilled into everyone's head that it's -everyone's- responsibility.
Re: (Score:2)
In order for security to mean anything, it needs to be personal. Everyone needs to understand not only how to protect themselves, but why they want to. This app
Re: (Score:2)
As a security professional, I disagree with your last paragraph. The people I know are not against marketing our services and solutions, nor are they against telling people why they should be aware of security. What most of us are against are the few people that attempt to gimmick our industry and trick people into thinking "they" have some new and novel solution.
Get-rich-quick scams are bad for security. Telling people you invented something new, which in reality is old hat, by twisting words is bad for
Re: (Score:1)
I am in 100% agreement.
I was just stirring the pot, because I see the human element as the point of failure in most scenarios. (had to laugh about Cardinals v. Astros in the news yesterday) If the human involved had changed his (default/typical) password after moving to a competing company, the unauthorized access wouldn't have been practical. --it's likely the same password on social media, email, banking, etc..
Most (I'm talking non-programmers) people don't realize that an unscrupulous web site or se
No shit (Score:2)
Step 1: Increase the security of the software development activity, by allowing programmers to do their job without being overworked and overstressed and rushed to ship their code now now now don't worry we'll patch it later.
Pointless Enterprise Speak. (Score:4, Insightful)
Look, I know the guys in suits buy into this crap, but there's really no reason to spread it on our walls.
If you're going to provide a solution to a problem do it, describe it in clear concise english. This person hasn't actually said anything at all. They simply used a larger than necessary amount of words to do it.
Re: (Score:2)
It's even worse: he uses "reduce" instead of "minimize". Reduces compared to what?
Re: (Score:2)
So you talk about 'enterprises' instead of businesses because enterprises includes charitable organizations.
The problem comes when the expert tries to talk to (note I said talk not communicate even though we are really using an electronic form of communication, not talking) to normal people (an expert might have said non-technically
Re: (Score:2)
Fair point. I think I've just got newspeak burnout at the moment.
Re: (Score:2)
The better you are at any field, the more likely you are to use precise words.
The reverse, however, is not true. In fact, overuse of precise terminology is, ironically, likely a sign of ignorance.
The article is an example of one of those two cases.
What people want (Score:4, Insightful)
People want an attempted computer intrusion to look like The Matrix combined with William Gibson novels combined with red alert klaxons and people in military uniforms running around in a war room. They want it to be free, fool proof, and not require them to know or remember anything.
Good luck!
Re: (Score:2)
You can do all that, but if there are no consequences for breaching security policy (the "wrong" activities) then your average mundane has no incentive to do their part to improve security.
If one in every twenty employees that was caught breaking security policy were given an all-expense-paid trip to the curb with all their shit in a box, the rest would start taking it seriously and not ju
room full of rocking chairs (Score:1)
"I asked everyone to look at their systems from the perspective that they would need to detect, track, and limit a privileged access breach"
I didn't see how what I had said was unreasonable, but it was like I turned a long tailed cat loose in a rocking chair convention. What is wrong with assuming the worst and seeing what you can do about it? If you can't admit that your administration level accounts can be hacked, I don't believe you understand what you are up against.
As an independent security consultant myself... (Score:4, Insightful)
You are full of ...... It...
(/sarcasim)
Look, ANYBODY can claim to be an " independent security consultant" and it's stuff like this that sounds complex enough to be true. You can baffle people with BS if you know the buzz words, and even get consultant gigs from time to time, just hang out a shingle, buy a website and go to a couple of symposiums.
Security is about common sense and risk management. You need to understand the risks (which means you need to know what they are) and that takes some domain knowledge, plus you need to know what the possible techniques are to manage the risks, but once you know what the risks are and what tools you have to manage these risks, doing the actual *work* is decidedly easy and not that hard.
The moral of the story here is that if it sounds complicated coming from your "expert" then you need to fire them. If you cannot understand what they are suggesting needs to be done, they are just trying to separate you from your money, not provide you with security.
the forgotten part of security (Score:2)
If I'm understanding TFA, it seems like a restatement of one aspect of the three laws of security -- of Confidentiality, Integrity, Availability, the last one. That if "security" results in legitimate users not having sufficient access (availability) to achieve assigned goals, it's not really security. Kind-of the opposite, actually.
Re: (Score:2)
Stuxnet showed that line of thinking can be wrong. Even though the Internet has made it easy for attackers to do a lot of damage for relatively little work (compared to getting boots on the ground), one still needs defense in depth. All it takes is a MicroSD card gotten in or out of a secure facility.
Re: (Score:2)
People did get computer virus infections before the wide use of the internet. It came from people sharing floppies or other portable media. Also, you'd get the odd LAN viruses. The Internet just made it far easier to both spread and make use of the intrusions.
Oddly enough, people used to write virus programs with nothing more than the malicious desire to crash your computer or the completely amoral idea of wanting to see what would happen, because it was difficult to get your computer to phone home befor
Re: (Score:3)
Where I get where you are coming from...
The internet is NOT really the biggest source of risk, users are. The internet is just the vehicle most often used to do direct and indirect attacks, there are a number of other sources of problems for the security expert. Most systems that sit behind any kind of firewall and a NAT address are generally perfectly safe from a direct attack, at least until the user logs in.
Users, once authenticated, are able to download stuff, do stupid things to the system configu
Securing an activity needs a computer secured... (Score:2)
Devil's advocate here:
Securing a task is one thing, but if the endpoint hardware is compromised on any level, nothing you can do higher up on the chain matters. This is the same reason why DRM tends to fail on the PC unless it uses a very elaborate system of obfuscation.
Yes, task security is important, but what the task depends on is also critical.
Take sending secure E-mail for instance. The task requires the computer, the storage medium, RAM, the CPU, and anything on the bus that can read/interfere with
OMG, more buzzwords and silver bullets (Score:1)
FTFA:
As she vividly put it: if you're on a rooftop, trying to get a connection and successfully send out an encrypted message because your life or freedom - or that of others - depends on it, and you know that there are snipers waiting to take a shot at you - there is simply zero room for using a tool as complex as PGP.
"We forgot that our job was really to stop bad things from happening to good people," she pointed out.
- well fuck, a system that sends messages shouldn't require that you know how PGP works, it should just apply it without forcing you to do anything you wouldn't do on a 'non-secure' system. Login, write a message and push the send button. Login could even be an option, your equipment could login by itself.
So, how do we go about doing that? The answer is: in an organized manner - with threat modeling, adversary modeling, and operational planning.
- sure. Or you could sanitise your inputs, follow sound practices, like not pass parameters in the open and if you do, ensure that the information they represent actually can be accessed by whoe
A bit obtuse, but not bad. (Score:3)
The worst security definition that I have seen is the one currently used by the US Security communities. Geer stated it as: "..the absence of unmitigatable surprise." This definition is horrible. It offers you no guidance on prioritization or limits. This definition says you are insecure until you have achieved omniscience and omnipotence.
The best definition of security that I have found is: "Security is a MEANINGFUL assurance that YOUR most important goals are being accomplished." This is easily understood by everybody and it guides you to effective action. Using this definition you are guided to create and maintain the potential for success. The other definitions ultimately force you to focus your efforts on less important objectives.
Security is not about securing computers? (Score:1)
hope springs eternal (Score:3)
When facing a nearly unprovable situation (e.g, the security or insecurity of a system), we often resort to deities and idolatry.
It's much easier to believe in magic pixie dust called security protection that you can apply to some activity which is insecure to make it secure, than to face the reality that the activity itself might be inherently insecure and we must modify our activity to make it secure.
You have a virus, there must exist anti-virus protection, you have malware, there must exist some anti-malware protection, just a little more encryption, and a little more authentication will always help too (just like sunblock and contraceptive devices, you gotta apply that stuff correctly or it doesn't work as advertized). However, as we have seen, the belief in these artifacts are mostly a mirage. It's not to say these things aren't useful to a limited extent, but we want to believe we can use technology to "solve" a problem that is intrinsic. Hope springs eternal.