Why do we insist on seeing the computer as a magic box for controlling other people?
Why do we want so much to control others when we won't control ourselves?
Computer memory is just fancy paper, CPUs are just fancy pens with fancy erasers, and the network is just a fancy backyard fence.
Monday, February 11, 2013
Passwords? Security systems?
The first and most fundamental tactic in security is to reduce your potential loss in the case of a successful attack.
I mentioned the cost of replacement when I talked about planning the costs of security in the last rant.
The absolutely best way to reduce the cost of security is to bring the cost of replacement down to zero.
If you have nothing to protect, you don't need to spend money, time, or other resources protecting anything.
Moreover, you don't care if people walk off with anything, so you basically go into a sharing mode. That reduces the motivation of many attackers, since there is nothing to steal.
Sharing is a good way to turn enemies into friends, which is another good way of reducing the number of potential attackers.
Well, if everything were infinitely reproducible, we could basically get rid of both military warfare and excessive economic competition.
Okay, it's an ideal. But it is a meaningful ideal. If you are having serious security problems, you should re-evaluate your resources, operations, facilities, etc. If there are things you don't need to protect, quit trying to protect them, and security issues disappear like snow in the tropical sun.
And, until you take this step, everything else is a just a bandaid.
As I said before, you don't usually want to secure a ten thousand dollar touring bicycle with a three dollar lock on a flimsy chain that could be cut through by a determined kid with diagonal cutting pliers.
Nor do you usually want to protect a two hundred dollar utility bike with a thousand dollar chainlock.
Generally, you want to spend something around a tenth (plus or minus a bit) of the cost of replacement on protection measures.
Now, I just said a mouthful there. Let me unpack it.
I didn't exactly say it before, but knowing the value of something includes knowing it's replacement value, or, rather, how much it would cost to replace.
Replacement value. Cost of replacement. Not the same, and neither the same as the actual value, much less the perceived value.
Everything that you might want to protect has a replacement value or a cost of replacement.
You cannot secure something that is priceless. Period.
If you don't understand why, go back to the popular song from the '60s, "One Tin Soldier" (Lambert/Potter).
Of course, there are other issues relative to priceless stuff, primarily that what is priceless to the owner of the company is generally not priceless to the company itself. If the company itself has something that the company considers priceless, the accountants are not doing their jobs.
If the company has something that it considers priceless, that thing will sooner or later cause things at the company to seriously wonky. If not corrected, it will destroy the company. You can't operate a company long-term unless everything the company owns has a given and fairly reasonable cost of replacement.
If the company has something priceless, call in the boss and the accountants and whoever else it takes, and get a cost of replacement assigned to it.
Often, the actual cost of replacement, sentiment aside, will be surprisingly low. That's no offense to the boss. If it could be valued, it wouldn't be priceless.
Why roughly a tenth of the cost of replacement?
I'm reading the mind of the thief or other attacker. He's saying to himself something like
I'm not going to be able to sell this thing for the full value. If I have to carry in a thousand dollars worth of tools to steal something worth a thousand dollars, when the risks include having to leave the tools behind, I'm going to get a real job.
Yeah. I'm guessing when I say a tenth. That's why I say plus or minus. The object is to spend just enough to discourage most potential thieves.
What you're doing is an augment to insurance. Insurance attempts to take care of things after the probabilistic event of an intrusion/theft. Security is reducing the probability of the event. Together, you want to bring the costs down to a manageable level.
And adjusting the cost of security measures to the value of the thing being protected is one way to manage the costs.
Really, a tenth is a bit high, but we aren't ready to calculate for real, just yet.
One last thing before I move on:
If the argument of replacement vs. protection runs into the problem of having to replace something repeatedly, you will have to shift from security tactics to war tactics, but that is also a topic to be dealt with later. (I will deal with it partially in the next post.)
If you don't know what it is you are protecting, you'll tend to leave the valuables in the middle of the road while you haul meaningless junk into the safe.
Or you will spend hundreds of thousands of dollars trying to protect something worth only a thousand or so.
You also need to know what it is you need to do with the valuables. If you don't know this, you'll tend to leave the valuables in the middle of the road while you are busy building walls, safes, locks, gates, etc., in buildings where you never intend to take them.
(Of course, certain large system houses -- cough -- MS -- cough -- IBM, too -- ahem -- Cisco -- gack, Apple, too? erk -- erm, well, certain, uhm, most large systems houses are just delighted to help you build security measures you will never need or use. Especially, if you never use them, no one will know that they don't really work.)
If you know what you are protecting and how you need to use it, you can focus your resources on real protection measures. In other words, you are less likely to run out of resources for security before you can actually get meaningful measure implemented.
("Measures" is such a buzzword. It just happens to be the best word I can think of, since security is a lot more than just walls, gates, locks, passwords, strongboxes, sandboxes, etc. Well, buzzwords are only really buzzwords when misused.)
Now, there there are some hidden issues here.
Not only do you need to know what you are protecting, you also need to know its value. You don't usually want to spend thousands of dollars protecting imitation jewelry, and you don't usually want to leave real jewelry in a cheap lockbox you bought at a discount shop.
Hmm. I was going to leave the question of whether there is such a thing as "real" jewelry begging, but it is one way to approach another hidden issue, which also happens to be a core issue.
One geek's aunt left him her wedding ring set when she died. The geek's wife now has that set. It appraises in the thousands of dollars range, but, because he didn't work hard and sweat blood to buy it, it is not worth very much to her. Maybe she's being unreasonable, maybe she isn't. But these sorts of things need to be know when deciding how to allocate security resources.
(It seems like I should offer some advice, but each situation is different, and I want to talk about matching value to resources elsewhere.)
Knowing what you are trying to protect includes knowing how it is valued, and who values it that way.
Once you know what you are protecting, you need to match your efforts to its value.
If what you have is perceived to be valuable, there will be people who will decide they want it.
So the first rule of security is to avoid making something look more valuable than it is.
(A derived rule is to try to make it appear less valuable, but such attempts are generally all too easy to read through, and thus backfire. Going that route should be reserved for special cases, not engaged in without careful planning, and definitely left alone if you haven't throughly understand all the principles of security.)
Think about the old MS/PC-DOS machines. Internal storage was small. Networking was primitive. Data tended to be stored off-line. The biggest security problems were computer viruses written mostly by kids who had no idea of the value of the data their toys were mucking around in.
Well, the data itself wasn't that valuable either, because it was hard to dig into, hard to aggregate, hard to interpret.
Security was not a big problem because of a lack of value, and a lack of perceived value.
To get a grip on perceived value, however, you need to know what you are protecting.