DailyDave has scared out an interesting mini-conversation about Security Religion. I call this Security Religion because the argument centers on some very fundamental beliefs that security people have when combating the evils of the cyber world. It is extremely important in passionate discussions to realize which religion speakers are siding with, to avoid circular arguments that get nowhere. Some discussions have no correct answer, but there can be no chance of agreement due to differences in fundamental assumptions (kinda like someone claiming their religion as ultimate because it says so in the Bible, but their audience hasn’t bought the assumption that the Bible is divine…). The argument is in the assumptions, not the resulting assertions.
I have purposely striked most of the content below, since it is just me being wordy and unnecessary.
Absolute security vs incremental security.
Absolute Security followers accept and pursue security solutions that are inherently secure or absolutely secure. Something that is inherently secure may not be absolutely secure right now, but is as secure as it theoretically can be at this moment.
Absolutists may often define security as something much closer to a state, where things are highly secure. When something is adding security, they mean that it is in a state that is not breakable. They may say that security is not a state to achieve, but only insomuch that zero days can be found and patched against; i.e. new attack vectors and threats that aren’t known today. They don’t spend excessive amounts of time, money, energy, or political clout on solutions that have weaknesses or holes in them. With this approach, they tailor their security approaches towards even highly skilled threats, internal and external.
Perfect security seems like an impossibility, meaning these people will have very few solutions and very few good feelings about their security. They shouldn’t use Windows, as this violates the fundamental belief (since Windows can be inherently insecure). Absolutists may be unable to provide satisfactory solutions without an overflowing budget, support, and staff. Absolutists do not manage risk, and would rather try to remove all risk. They put heavy emphasis on technological controls, since people are fallible and make mistakes. Absolutists will overlook small security measures that stop unskilled attackers or automata, but would fail against a skilled attacker.
Example A) Absolutists will argue against the benefit of changing the listen port of an SSH server, and instead prefer to harden the SSH server itself.
Example B) Absolutists will likely argue against the value of IDS or other detection solutions. Attacks should not succeed in absolute security networks, therefore this is wasted time. Caveat: detection may be suggested as a tripwire for zero day attacks or unknown things.
Example C) Absolutists scoff at the notion of MAC address and SSID hiding controls in WAPs.
Incremental security means acknowledging that security measures are not perfect, especially in an imperfect world with imperfect humans as the base of any security regimen. Therefore, they believe that layers are the best approach. Sometimes this means, “any security is an improvement.”
Incrementals acknowledge that there are no perfect security measures, and can plan around those deficiencies. Incrementals tend to define “security” as a measure on a scale between ultimately secure and ultimately insecure. They have a more realistic outlook, which means being able to work with tighter budgets, lack of staff, and less efficient tools. Incremental belief lends itself to a risk management approach. They almost always accept that security is an ever-changing process and not a state.
An Incrementalist may waste time applying various imperfect layers of security to compensate for the imperfections. They may get mired in always fighting an uphill battle; causing burn-out, frustration, and never-ending politicking to get projects approved and accomplished.
Example A`) Incrementals believe there is some benefit to changing the listen port of an SSH server.
Example B`) Incrementals will be considerate of IDS and detection measures as a way to alert on possible or successful attacks.
Example C`) Incrementals will argue that there is some value in protecting wireless networks by disabling SSID broadcasting and using MAC controls.
There is a time and place for both security religions. This can change based on the organization’s resources, threats, or assets. A government defense facility may side much deeper into the Absolute Security, but a web development start-up may be best served with an Incremental approach.
I’m not saying either religious side is better or worse. I think it depends on the personality and environment. Hell, I would also be keen to say it can depend on the solution or situation. You might be forced to be Incremental in your desktop OS and shared servers (think web or SQL), but you’d be damned to budge from being an Absolutist on the network or servers that only you use (think DNS or mail).