Slashdot Mirror

← Back to Stories (view on slashdot.org)

Rethinking Security: Securing Activities Instead of Computers

Posted by samzenpus on from the whole-package dept.

An anonymous reader writes: Security is not a property of a technical system," says independent security consultant Eleanor Saitta. "Security is the set of activities that reduce the likelihood of a set of adversaries successfully frustrating the goals of a set of users." But software development teams that understand what users want and what adversaries they face are very rare. And security engineers forgot — or misunderstood — what their job is: not securing computers, but securing activities that lead to the realization of greater goals.

8 of 55 comments (clear)

  1. After skimming, reading and confusion. by Anonymous Coward · · Score: 3, Interesting

    After reading the 'article', I am not sure what is being said or the point is for that matter. I don't understand WTF is being said.

    "A threat model is a formal, complete, human-readable model of the human activities and priorities and of the security-relevant features of in-scope portions of a system," Saitta defines. "An engineering tool that will help use define what we are trying to get the system to do."

    Huh? That sounds like a REAL fancy way to say social engineering.

    In my years in this shitty fucking business, there are a lot of BS artists who get away with bullshit because the IT/engineering industry is almost exclusively filled with people who are afraid of appearing 'stupid' to say he looks naked and charlatans get away with selling shit. The Emperor may have no clothes, but everyone is too afraid to appear stupid or have some arrogant asshole say, "You don't belong here!" because HE thinks there are clothes.

    Is this article different? I don't know.

    independent security consultant Eleanor Saitta

    Ah 'consultant'.

    1. Re:After skimming, reading and confusion. by mlts · · Score: 2

      The funny thing is that back in the 80s, every company that used computers thought of this. Back then, diskettes and other media was notoriously unreliable, so even the accounting firm had a grandfather/father/son backup rotation system in place, with tapes/disks going somewhere offsite.

      Sensitive data had some form of PW protection. Because someone had to have physical access, usually basic physical access controls worked. Then the fact that very often, the "computer" in use was a terminal, which likely would lock permanently after 3 missed passwords, didn't hurt either.

      Now, it seems all those cautions get tossed out the window. I see companies considering RAID as backup (especially those who use their SAN for backup/archiving purposes), and assume that no intruder can get onto their SAN's management network.

      This worked adequately... but the Sony hack changed things with the data being destroyed. Now, there is a good chance that after the intruders copy off the data, they will just log onto the SAN and purge things. A simple dropping of LUNs, then rebuilding all drives as one RAID array will ensure all data is overwritten and unrecoverable.

      I am a strong advocate of offline media like tapes, mainly because it addresses the parent poster's two points:

      1: LTO-4 and newer can be set with an encryption key on the tape drive itself (via SPIN/SPOUT), so if a cartridge falls of the back of the Iron Maiden truck, it can be treated as just a loss of a $10 tape.... with data well protected.

      2: Just by being offline, it requires "boots on the ground" to destroy the media. An attacker can't just do a "rm -rf /" and destroy the entire business.

      Yes, businesses can get destroyed by data loss. Texas Textbooks, around 20 years ago, used to be the top dog for student textbooks and items in Austin. Their main computer croaked... and the company went down for good with it due to the loss of payroll, accounts payable/receivable/sales info, inventory, and other items.

  2. Pointless Enterprise Speak. by cshark · · Score: 3, Insightful

    Look, I know the guys in suits buy into this crap, but there's really no reason to spread it on our walls.

    If you're going to provide a solution to a problem do it, describe it in clear concise english. This person hasn't actually said anything at all. They simply used a larger than necessary amount of words to do it.

    --

    This signature has Super Cow Powers

  3. What people want by sjames · · Score: 3, Insightful

    People want an attempted computer intrusion to look like The Matrix combined with William Gibson novels combined with red alert klaxons and people in military uniforms running around in a war room. They want it to be free, fool proof, and not require them to know or remember anything.

    Good luck!

  4. As an independent security consultant myself... by bobbied · · Score: 3, Insightful

    You are full of ...... It...

    (/sarcasim)

    Look, ANYBODY can claim to be an " independent security consultant" and it's stuff like this that sounds complex enough to be true. You can baffle people with BS if you know the buzz words, and even get consultant gigs from time to time, just hang out a shingle, buy a website and go to a couple of symposiums.

    Security is about common sense and risk management. You need to understand the risks (which means you need to know what they are) and that takes some domain knowledge, plus you need to know what the possible techniques are to manage the risks, but once you know what the risks are and what tools you have to manage these risks, doing the actual *work* is decidedly easy and not that hard.

    The moral of the story here is that if it sounds complicated coming from your "expert" then you need to fire them. If you cannot understand what they are suggesting needs to be done, they are just trying to separate you from your money, not provide you with security.

    --
    "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
  5. A bit obtuse, but not bad. by dweller_below · · Score: 2
    As security definitions go, "Security is the set of activities that reduce the likelihood of a set of adversaries successfully frustrating the goals of a set of users." is not bad. It is a bit obtuse. It lends itself to Venn diagrams and powerpoint. It is also weakened by it's fixation on adversaries. Adversaries are nice if you can blame them, but usually, you are your own worst enemy.

    The worst security definition that I have seen is the one currently used by the US Security communities. Geer stated it as: "..the absence of unmitigatable surprise." This definition is horrible. It offers you no guidance on prioritization or limits. This definition says you are insecure until you have achieved omniscience and omnipotence.

    The best definition of security that I have found is: "Security is a MEANINGFUL assurance that YOUR most important goals are being accomplished." This is easily understood by everybody and it guides you to effective action. Using this definition you are guided to create and maintain the potential for success. The other definitions ultimately force you to focus your efforts on less important objectives.

  6. Re:If your not connected to the internet your secu by bobbied · · Score: 2

    Where I get where you are coming from...

    The internet is NOT really the biggest source of risk, users are. The internet is just the vehicle most often used to do direct and indirect attacks, there are a number of other sources of problems for the security expert. Most systems that sit behind any kind of firewall and a NAT address are generally perfectly safe from a direct attack, at least until the user logs in.

    Users, once authenticated, are able to download stuff, do stupid things to the system configuration and/or copy data off the system. For most security risks, the BIG money risks are not directly coming from the internet.

    --
    "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
  7. hope springs eternal by slew · · Score: 2

    When facing a nearly unprovable situation (e.g, the security or insecurity of a system), we often resort to deities and idolatry.

    It's much easier to believe in magic pixie dust called security protection that you can apply to some activity which is insecure to make it secure, than to face the reality that the activity itself might be inherently insecure and we must modify our activity to make it secure.

    You have a virus, there must exist anti-virus protection, you have malware, there must exist some anti-malware protection, just a little more encryption, and a little more authentication will always help too (just like sunblock and contraceptive devices, you gotta apply that stuff correctly or it doesn't work as advertized). However, as we have seen, the belief in these artifacts are mostly a mirage. It's not to say these things aren't useful to a limited extent, but we want to believe we can use technology to "solve" a problem that is intrinsic. Hope springs eternal.