the security silver bullet syndrome in negative exposure

It’s not often someone hits a pet peeve of mine dealing with security, but I bristled at one just now.

One of my tenets of security is to make sure to not believe there is a silver bullet or security panacea. I think we universally believe that.

But there are insinuations and beliefs that, in a way, are saying there really is a silver bullet. Most of these have to do with saying “Security measure X is not 100% effective, therefore it is useless/inefficient/expendable.”

I’ve seen this with Jericho Forum defenders who say the perimeter is porous now, which must mean the firewall is less efficient, which must mean we’re moving towards no perimeters. “What use is a perimeter defence with holes in it after all?”

Such a statement is analogous to saying, “I expect my security measures to be silver bullets.”

I don’t think I’ve stumbled downhill nearly that violently since breaking my leg sledding one winter…

3 thoughts on “the security silver bullet syndrome in negative exposure

  1. Can you point to one of these “apologists” that equate the fact that the porous perimeter means that one should do away with the defenses one has today without a rational plan of attack and without a reasonable way or mitigating risk?
    See that point to the left? That represents you.
    See that point to the right? That seems to represent anyone who would suggest that we should start fixing the problem rather than the symptom.
    …at least that’s how I see what you’re saying.
    In fact, Jericho suggests just the opposite of what you maintain: there are no silver bullets, just silver buckshot…
    I think that the “insinuations” you point to are, quite honestly, amplified in your own head for allergy’s sake because I don’t know anyone who claims to understand and adopt the Jericho Forum’s vision, simply does so for technology’s sake and ignores the business.
    Do you *really* think that the governance structure at BP who have taken tens of thousands of workstations outside of the traditional crunchy/soft boundary, would allow that to happen if it threatened their ability to conduct business?
    NO! They did it because it enabled them to become more agile whilst balancing that with the risks specific to their business operating environment.
    You’re a smart guy, Michael. Nobody’s insinuating that you’re doing anything wrong, but rather that the generally-perceived definition of “right” could use a fresh coat of paint.
    I’ve used the exact phrase about efficacy above numerous times, but sometimes one has to reset the goal posts instead of keep running out of bounds to stop the clock.
    My $0.02. I respect your opinions, but I disagree with the negativity you continue to convey regarding what you think JF is trying to do.
    Hope you can accept this as just my opinion with ZERO personal baggage attached.

  2. I purposely made no links in my post above. I meant it to be more general than finger-pointing. The, “What use is a perimeter defence with holes in it after all?” is an exact quote, however. I was not really pissed off about JF, but more pissed off about the insinuation of such statements, which I’ve seen made by others with no affiliation with JF. The same is often said about spam filtering. One spam gets through, therefore the approach is all wrong. That implies a perfect solution is the only acceptable option.
    I’m not against fixing a problem. I just don’t think I’m convinced this is the exact problem, nor am I convinced that swinging far to the other end is the solution. Just because I don’t buy into what JF says completely, does not mean I want to beat my head against a post doing the same old supposedly wrong things. 🙂
    I think I’ll withhold further discussion on JF until such a time as I can attend a live presentation or some such event to get a better feel for what they are saying. Of course, I’m not chomping at the bit to do that… 🙂
    And just to note, like I said in my JF conclusions, I’m not necessarily against JF at all. I’m just not going to become some JF evangelist any time soon.

  3. Fair enough.
    I started to write more, but will abstain from doing so because I have plenty of other dead horses to go beat 😉
    Again, I respect your opinion immensely, I just don’t subscribe to your interpretation of it.
    Until we meet at a Jericho event, I shall consider that we agree to disagree!

Comments are closed.