Why do we insist on seeing the computer as a magic box for controlling other people?
Why do we want so much to control others when we won't control ourselves?
Computer memory is just fancy paper, CPUs are just fancy pens with fancy erasers, and the network is just a fancy backyard fence.
Monday, February 11, 2013
Security Basics 2 -- What Are You Protecting?
If you don't know what it is you are protecting, you'll tend to leave the valuables in the middle of the road while you haul meaningless junk into the safe.
Or you will spend hundreds of thousands of dollars trying to protect something worth only a thousand or so.
You also need to know what it is you need to do with the valuables. If you don't know this, you'll tend to leave the valuables in the middle of the road while you are busy building walls, safes, locks, gates, etc., in buildings where you never intend to take them.
(Of course, certain large system houses -- cough -- MS -- cough -- IBM, too -- ahem -- Cisco -- gack, Apple, too? erk -- erm, well, certain, uhm, most large systems houses are just delighted to help you build security measures you will never need or use. Especially, if you never use them, no one will know that they don't really work.)
If you know what you are protecting and how you need to use it, you can focus your resources on real protection measures. In other words, you are less likely to run out of resources for security before you can actually get meaningful measure implemented.
("Measures" is such a buzzword. It just happens to be the best word I can think of, since security is a lot more than just walls, gates, locks, passwords, strongboxes, sandboxes, etc. Well, buzzwords are only really buzzwords when misused.)
Now, there there are some hidden issues here.
Not only do you need to know what you are protecting, you also need to know its value. You don't usually want to spend thousands of dollars protecting imitation jewelry, and you don't usually want to leave real jewelry in a cheap lockbox you bought at a discount shop.
Hmm. I was going to leave the question of whether there is such a thing as "real" jewelry begging, but it is one way to approach another hidden issue, which also happens to be a core issue.
One geek's aunt left him her wedding ring set when she died. The geek's wife now has that set. It appraises in the thousands of dollars range, but, because he didn't work hard and sweat blood to buy it, it is not worth very much to her. Maybe she's being unreasonable, maybe she isn't. But these sorts of things need to be know when deciding how to allocate security resources.
(It seems like I should offer some advice, but each situation is different, and I want to talk about matching value to resources elsewhere.)
Knowing what you are trying to protect includes knowing how it is valued, and who values it that way.
Once you know what you are protecting, you need to match your efforts to its value.