« That moth may be watching you :) | Home | Now, this laptop rocks :) »



Jun

7

Influence of non-security considerations in your security decisions.

Category: Security | >

Bruce Schneier has a new essay on his blog, which should give anybody working in security a lot to think about.

In Nonsecurity Considerations in Security Decisions, Bruce talks, briefly, about what security *is*, then goes into trying to define *how* decisions about security are made. Something that jumped at me when I read it was:

At its core are assets, which a security system protects. Security can
fail in two ways: either attackers can successfully bypass it, or it
can mistakenly block legitimate users [...] both users and attackers learn about the security and
its failings. Sometimes they learn how to bypass security, and
sometimes they learn not to bother with the asset at all.

Users “learn not to bother with the asset at all”…that’s what happens when you over-secure something. Yes, security is important…but the level of security must *not* be higher than the asset being protected is worth…if you enforce a 30 random character password, with a 30 minute session timeout, for protecting access to the schedule of a low level manager, his secretary is going to end up doing it all by paper and pen instead, because that information about that person isn’t worth the time and brainpower needed to do things “the right way”.

On the other hand, you shouldn’t under-protect things. A 5 character non-random password protecting the schedule of the President of a country who has been receiving dead threats is stupid…it’ll take a very short amount of time for an attacker to get to the schedule, and that can end up making things Really Bad.

Also, the diagram posted with the article is interesting, worth blowing up and printing, to be kept handy whenever you have to do a security assessment.

Technorati Tags: , ,

vox
Tags:

If you enjoyed this post, make sure you subscribe to my RSS feed!!

Related posts:

Comments


This entry was posted on Thursday, June 7th, 2007 at 7:58 pm and is filed under Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
2 Comments so far

  1. Chris on June 7, 2007 11:20 pm

    I’m so glad you highlight the more interesting of Bruce’s articles. Thank you for that.

    That diagram though… gads. May take me another 10 minutes to wrap my head around it!

  2. Vox on June 7, 2007 11:57 pm

    lol! I know what you mean…I’m still studying it…it’s gonna take some time for me to really get it, I guess hehehe :)

    On the other hand, it does seem like a useful tool…at worse, it’ll help us security people to conceptualize what we do in our work…at best, we’ll learn something new that we need to keep in mind while taking the important decisions.

Name (required)

Email (required)

Website

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Share your wisdom