Security, Separation and Risk
« Back to Blog

Security, Separation and Risk

By Pete Herzog

If you could have anything you want in the whole world, what would you wish for? On the count of three I want you to say it out loud. Ready?

One--

Two--

Three!

You said “Better cybersecurity.” I know you did. Everyone always says that. And let me tell you why the security fairy won’t grant you that wish.

Wait, before I tell you, because this matters, answer this question:

“Does making something harder to get make it more secure?”

Think about Indiana Jones and his temples of traps he needs to dodge through to get the idol. Does that make the idol more secure?

Or the riddle you need to answer correctly to cross the bridge. Does that make access over the bridge more secure?

Or having to select all the squares with street signs in that oh-so-annoying CAPTCHA wannabe just to tell someone on the Internet they’re wrong. Does that make the comment section more secure? Or the Internet a happier place?

Let me be more concrete. If you add more and different types of characters to passwords and increase the length of encryption keys, does THAT increase security?

And if it does, then shouldn’t hiding and obfuscating also make things more secure than not doing anything at all? So some would say no. Many would say that’s obscurity or like it and therefore not really security, not actually protecting stuff, just--

Just what?

Making something harder to get does shrink the pool of potential, successful attackers. Which, to those of you wearing your big auditor’s pants, know it reduces risk.

So does making something harder to get to make it more secure?

I have to admit that I struggle with that particular question. I also struggle with the point of adult tap-dance auditions so bear with me.

What I really think is that’s how and why people struggle with a definition of security. It comes down to whether you think security is about risk or if it’s fundamentally about separation. You might say both, but then you’re not really answering the original question. And that’s very evasive of you, you little scamp!

Basically, if you’re in the Risk camp then for you security is is clearly something that can be defined as a probability. You want to make sure the odds are forever in your favor.

But if you’re in the Separation camp then for you security is something that exists when a threat is physically separated from the asset, as if security is a private school dance chaperone in the 1950s.

So they’re obviously very different things. That’s why the security fairy won’t grant you that wish in your heart of hearts!

If you think that security is about reducing risk then making something harder does mean less people can make a successful attack with skill or luck. That means longer passwords from a larger character set will be more secure. It also means bigger encryption keys means more secure. It means CAPTCHA makes more secure. And a second floor window is more secure than a first floor window. Because harder is harder. It makes good, human sense. But humans aren’t really good at extrapolating things outside themselves or else armchair quarterbacks would realize they’re not really better than the ones on the field.

You see, if you shrink the pool of attackers by making it harder to attack successfully, you are also admitting that it’s not secure against the people who can figure out how to get in. So your security premise is “Let’s just hope we’re not a target for them.”

Which means you will build your security to in a way that slows down or trips up anyone who wants to attack you. It will also mean that you’re willing to let one system get infected so you can learn and counter other infections. Because the security of the many outweighs the security of the one. Therefore, security is anything you can do to reduce the number of successful attacks.

The risk way is also good because risk is something you can offset and defer. For example, if security costs more than a fine or loss from a breach then the risk model says pay the lower amount.

And if you find security is too expensive you can defer the risk on your customers so they are responsible for making good passwords instead of you paying for a good authentication system. See how handy that is?!

But is it security?

You see it’s also why security analysts be like, “There is no perfect security.” Because there is no zero risk system.

But if you think that you need separation to be secure and no successful attack is acceptable then you’re going to have to devise completely different security tactics. You can’t just make things harder; you need to make it impossible. You will need to build your security where you control for every type of threat and have a contingency for everything. Which you have to focus on reducing as many dynamic parts as possible, including people, because it’s not always possible to lock down a moving target. Which means you need to be prepared for the threats before you know what they are. Because you allow no sacrificial goat in your organization. No loss is an acceptable loss.

Furthermore, with the separation method you can’t shift the cost or liability of security on anyone else. Not even on the security solutions you bought. It’s all on you.

That’s a huge undertaking beyond the reach of some organizations. It requires planning, careful tactics, and experienced security analysts to get you there. It also requires robots.

People are dynamic by nature and no amount of security awareness slide shows will change that. The fact is that there is no process that can’t be made more secure by removing the person from it. And if you’re like me, you find that a little sad and kind of liberating. But mostly it proves that it’s one thing to protect an unmoving bank vault and another to protect that same vault wandering through the streets.

Which is also why security analysts be like, “If a criminal really wants to get in, they will.” Because an attacker can go outside the scope to exploit things that are dynamic, especially the one thing that always changes, time. With enough time, all security is shallow.

So that’s it. If you define security as being about risk then you have to admit that any company can be breached because security is a gamble. Like Vegas, baby, no matter what you do the odds will eventually be against you. And if you define security as being about separation then you have to admit that a company can be breached because a company is made of people and moving parts.

And voila! Problem not even remotely solved! You still don’t know if making something harder to get makes it more secure! But that’s okay, at least you now have something to think about when you stare into the bottomless abyss of signature-based threat detection.

But no matter which camp you’re in, this tidbit from the OSSTMM will always apply:

“Security doesn’t have to last forever; just longer than everything else that might notice it’s gone.”
 

About Pete Herzog

Pete knows how to solve very complex security problems. He's co-founder of the Institute for Security and Open Methodologies (ISECOM). He created the OSSTMM, the international standard on security testing and analysis, Hacker Highschool, cybersecurity for teens, and the Cybersecurity Playbook, practical cyberdefense for everyone else. More about him here.

Tags: