Monday, November 14, 2005

Weak Assumptions + Overconfidence = Poor Security

Here's an article that I found recently that illustrates an interesting point.

Security is a process; not a product. Our security is determined by what we do and how we do it much more so than what we have.

September 11th is another example - and a very painful one at that - the airport screeners were not required to identify and remove small knives. We all know what this resulted in. We failed to manage the threat, and recognize that a hijacker, or hijackers, might seek alternate methods beyond a firearm or bomb.

We must manage our threats and not simply operate equipment if we are seeking real security.

Incidentally, if anyone is offended by the article topic, I apologize, it's merely an example to illustrate a point.


Tuesday, August 30, 2005

Harry Potter and the half-assed security

In the latest Harry Potter book, we see Hogwarts implementing security precautions in order to safeguard its students and faculty.

One step that was taken was that all the students were searched – wanded, in fact – to detect any harmful magic. In addition, all mail coming in or out was checked for harmful magic.

In spite of these precautions, two students are nearly killed by cursed items.

One of the items was a poisoned bottle of mead, which made it onto school grounds and into a professor's office.

It turned out that packages sent from various addresses in the nearby town were not checked. The addresses were trusted, and anything received from them was considered safe. When a key person was compromised (in this case, by a mind-control spell), the trusted address was no longer trustworthy, and a gaping hole in security was created.

Of course, since everyone knew everything was checked on its way into the school, no one felt the need to take any special precautions.

The moral of the story is, inadequate security can be worse than no security at all.





The last statement is important. We failed to build appropriate countermeasures for the threat on 9/11 and the results were disasterous. When we accept that our security today is adequate for the threat tomorrow then we create opportunities for our adversaries. We must continually question our own methods, countermeasure effectiveness, and what our threats actually are, if we wish to create real security.

Enough said for now...


1 comment:

  1. The attacker always has the advantage of being able to study his enemy's defenses and plan a way around them. The War on Terror will not be won by airport screening.

    ReplyDelete