Soylent Security

DevCentral > Weblogs > Lori MacVittie - Two Different Socks

Soylent Security

posted on Friday, May 04, 2007 10:23 AM

It's People!

Schneier says IT security exists because products and services aren't naturally secure.

Lindstrom says hogwash.

I'm feeling a bit reckless this morning, so I'll stand up and say the reason IT security exists is because of people. It exists because there are people in this world who flagrantly disobey both law and common decency in an effort to sabotage, steal, and otherwise manipulate both people and systems. They're just bad.

Bruce says in his blog:

The primary reason the IT security industry exists is because IT products and services aren't naturally secure. If computers were already secure against viruses, there wouldn't be any need for antivirus products. If bad network traffic couldn't be used to attack computers, no one would bother buying a firewall. If there were no more buffer overflows, no one would have to buy products to protect against their effects. If the IT products we purchased were secure out of the box, we wouldn't have to spend billions every year making them secure. [emphasis added]

If people followed the laws and rules, there'd be no need for firewalls or application firewalls or any other of the myriad technologies we purchase and deploy to secure our systems. "Bad network traffic" isn't a naturally occuring phenomenon, it's generated by people with bad intentions. Viruses don't just "appear" in the ether, they're created and propagated by people.

Blaming the victim is not an excuse for bad choices on the part of people.

Officer: Why'd you attack XYZ's Web server?

Attacker: It was asking for it

Officer: How is that?

Attacker: Open ports on the firewall, loose APIs. Advertised itself in search engines. How could I resist?

Law enforcement doesn't exist because our homes or persons are naturally insecure, it exists because there are people out there who will ignore the law to achieve whatever goals they may have. It exists for the same reason IT security exists, because an intelligent attacker will eventually find a way around whatever security you employ if they try long and hard enough. In the middle ages men built motte and bailey castles out of wood to stop people from attacking their persons and important possessions. People torched the walls and walked on through, so men built thicker walls from more resistant materials like stone and higher towers from which to defend their holdings. So people built siege engines to knock down the walls and learned to mine to collapse the defensive mechanisms and open an avenue for attack.

Build a better defense, and someone will build a way to get around (or destroy) that defense mechanism. There is no such thing as 100% secure any more than there is 100% certainty or 100% uptime. It's just not possible. That's why we use the term "5 9's", because we can't get to 100% anything.

It's people, not a lack of inherent or natural security, that is the basis for the existence of the IT security industry. And as people aren't going away any time soon, I'm guessing IT security isn't going anywhere either.

Should we do a better job of securing systems in the first place? Yes, of course we should. Should we continue to improve the security of products? Yes, of course we should. We should because we must, because of people. We should certainly try obtain 5 9's of security just as we attempt to provide 5 9's of availability and uptime.

But we should also stop "blaming the victim" and look at the real reason that security breaches occur: people, and we should take that into consideration before we blame the victim for being attacked in the first place. Like self-defense classes and personal body armor we can - and should - employ IT security systems as the first, second, and even third line of defense against attackers, but we also have to be realistic and understand that empirical, historical data says that as long as people are involved we will never find a way to be 100% secure, we can only reach 99.999%. And it isn't the fault of those who wrote the systems or built the defenses that are at fault when an attacker exploits that 0.001%, it's the fault of the attacker for trying in the first place.

Imbibing: Coffee

Technorati tags: F5, security, Schneier, Lindstrom, MacVittie

Categories: Security

del.icio.us

Feedback

5/5/2007 7:54 AM
		I do agree with what you're saying, but you can blame the "victim" if they don't at least acknowledge the fact that some people are bad and want to do them harm. If you're an IT admin and you aren't at least doing due diligence with systems that you're company has spent big money on, that they've entrusted you to keep up and running, then you should be held responsible if the bad people shut you down. If I walk outside without a jacket in a storm, I can't blame the rain for getting me wet. As you mentioned, as long as their's been security measures, there have been people who would find ways around it. Risk management is a fact of life. If you're not doing it and something happens that could have been prevented, don't be upset when the "suits" want to know why. Kevin Stewart
Kevin Stewart

5/6/2007 4:18 PM
		Very nice. Always great content here and this is no exception. Now we need to find a way to convince developers and inventors that they need to take that extra step and consider how their products or ideas are going to affect other technology and people. Unfortunately this might affect the bottom line because of the "rush to market" mentality. Oh well. Some will listen, some will not. I guess we can only hope that it is the previous that survives. Go forth and do good things, Cutaway
cutaway

Leave Feedback

Title
Name
Email
Url
Comments
Remember Me? Enter the code shown above:
Please add 1 and 4 and type the answer here:

My Links

DevCentral Home
DevCentral Blogs
DevCentral Forums
My Blog
Contact Me
Syndication
Login

Blog Stats

Posts		336		Comments		374
Stories		0		Trackbacks		37

	Tag Cloud
	acceleration AJAX application acceleration application delivery application delivery controller application delivery network application security applications architecture availability BIG-IP blog caching cloud computing cloud computing infrastructure developers development F5 Firefox Gartner Google HTTP infrastructure integration internet iRules Javascript load balancing load-balancing MacVittie Microsoft network networking optimization performance proxy scalability security server services SOA SSL TCP twitter virtualization VMWare web web 2.0 web application firewall XML more tags...

Post Categories

		General SOA
		SOA Delivery
		Randomness
		Web 2.0 Security
		Security
		iRules
		iControl
		Development and General
		Monitoring/Management
		XML
		ISV Solutions
		Microsoft Solutions
		Performance
		Cloud Computing

Archives

		December, 2008 (2)
		November, 2008 (18)
		October, 2008 (27)
		September, 2008 (32)
		August, 2008 (31)
		July, 2008 (30)
		June, 2008 (33)
		May, 2008 (30)
		April, 2008 (24)
		March, 2008 (5)
		February, 2008 (4)
		January, 2008 (8)
		December, 2007 (5)
		November, 2007 (6)
		October, 2007 (3)
		September, 2007 (5)
		August, 2007 (7)
		July, 2007 (7)
		June, 2007 (5)
		May, 2007 (11)
		April, 2007 (9)
		March, 2007 (7)
		February, 2007 (10)
		January, 2007 (5)
		December, 2006 (4)
		November, 2006 (8)

Application Delivery

		onizo#
		The Virtual ADC

Random

SOA

		Loosely Coupled
		Miko Matsumura's SOA Center
		SOA Enterprise Patterns

Copyright 1996 - 2008 F5 Networks, Inc. | Privacy Statement | Terms Of Use