Wednesday, 30 March 2011

First Day O' Security Follow Up

Security Theater

The most cited criticism of the (first) Day O' Security material seems to have been lack of the expected real world examples of specific vulnerabilities, threats, mitigations and attacks:
  • Better concrete examples – ideally from our own code base if possible!
  • Not enough real world examples.
  • No code related examples (I know it’s more about the broad topics, but some specifics would have been nice).
  • Would have liked concrete, how-to examples on security, i.e. how-to do authentication, how-to techniques on securing the transport, how stuff works in our domain etc.
  • No real life exploiting of security [stories], i.e. Gary McKinnon probably used X method or Google got hacked one time because of X.
  • Would have been good to hear about real world examples of specific attacks.
Fear not gentle readers, we'll soon be getting to all that fascinating stuff. Meanwhile it's clear you deserve an explanation: why did we deviate from that more obviously crowd pleasing agenda?

In his book Beyond Fear: Thinking about Security in an Uncertain World, Bruce Schneier coined the term Security Theater, describing countermeasures intended to provide the feeling of improved security, while doing little or nothing to actually improve it - or even making matters worse. This often takes the form of trying to prevent the most recent successful attack. Political pressures, like media hype and misinformation operating on an invariably poorly informed electorate, cause the adoption of the bad syllogism:
  • Something must be done!
  • This is something!
  • Therefore, this must be done!
The consequences of security theater can range from Internet banking services that time out after seconds of inactivity, preventing you from getting any business done; to huge and vulnerable lines of people waiting in airport security, nicely kettled and immeasurably easier to bomb than previously. Meanwhile the bad guys - with the possible exception of only the very best, most successful suicide bombers - rather than resting on the laurels of their most recent success, are concentrating on their next, least expected attack.

The First Thing About Security

Whether in the arena of terror or the field of data processing, the antidote to the populist security theater mentality is concentration on holistic core principles. Airport security is that service sector's very last line of defence against the dangerous and deranged, but successful detection and capture there signals little more than failure of the intelligence-led policing intended (required) to guard against public atrocities in general. Effort, money and resources are almost invariably better spent when targeted at the latter strategy.

So too with computer security. The great majority of past exploits, however ingenious and heroically evil, are solved and patched; at least in the sense that solutions and patches are available to potential targets. Hearing about these exploits is fun, much like reading a good detective or espionage novel.

Very shortly before our first Day O' Security, the schedule was changed from an all-day session to two half-day presentations of the same material (intended to allow more people access to the limited number of PCs, which in the event went unused). In excising the populist examples of black hat ingenuity in favour of the higher priority core concepts of vocabulary, taxonomy, data flows, trust boundaries, threat modelling and attack surfaces, I veered decidedly and deliberately away from the security theater approach of finding then papering over the cracks in the plaster. By way of compensation, other received comments appear to acknowledge that humorous content did not necessarily suffer as a result.

The Second Thing

I mentioned above that high profile examples still have their place, and their time is coming. Meanwhile if you want a sample of the kind of thing planned for Day 2, take a look at Part 2 of this Google Code University slide deck on Web Security:

(Hat tip: Brum Brum)

An accompaniment to the book Foundations of Security: What Every Programmer Needs To Know, these ppt slides are CC licensed just like the Microsoft SDL materials used in Day 1, so they may be retained for use in Day 2. Or it might be completely different; you'll just have to come along to find out.

No comments:

Post a Comment