avoiding shock and awe

JournalofPhysicalSecurity9(1),26-48(2016)

26

ViewpointPaper

AvoidingShockandAwe*

RogerG.Johnston,Ph.D.,CPPRightBrainSekurityhttp://rbsekurity.com

Ifindtworecentsecurityincidentstobeparticularlydisturbingbecausetheyhighlightthefrequentlackofvulnerabilityassessments(VAs),orevenamindsetthatallowsforthecontemplationofsecurityvulnerabilities.Thisalmostalwaysleadstoserioussecurityfailures.ThefirstincidentinvolvesallegationsofRussiantamperingwithurinesamplesusedfortestingathletesforbannedperformance-enhancingdrugs.TheNewYorkTimesreportedthattherehasbeenextensivestate-sponsoreddopingofRussianinternationalathletes,hiddenviatamperingwithurinetestingsamples.[1]Thetamperingwasreportedlyimplementedbytamperingwithso-called“tamper-proof”urinesamplebottles.Inafollow-upstoryonthefrontpageoftheNewYorkTimes[2],DonCatlin,theformerheadoftheUCLAOlympicAnalyticalLaboratoryisquotedassaying,“Itriedtobreakintothose[urinesample]bottlesyearsagoandcouldn’tdoit.It’sshocking.”[Italicsaddedforemphasis.]Inthesamestory,Catlinfurtherstatesthatwhenthemanufacturerfirstshowcasedtheurinesamplebottlesusedforathletedrugtestingtoaroomfulofdoctors,“Allofuswereparticularlypleasedandexcitedbythisbottlebecauseitlookedprettybulletproof.”ThemanufacturerisquotedassayingabouttheallegationsofRussianspoofingofthe“tamper-proof”samplebottlesthat,“We’reallabitspeechless,tobehonest...Noonecanbelieveit.”[Italicsaddedforemphasis.]Shocked?Noonecanbelieveit?Really?!?Thefactisthatreliabletamper-detectionisalargelyunsolvedproblem.[3,4]Moreover,7yearsago,mycolleaguesandIdemonstratedthat23widely-usedurinecollectionkitscouldbeeasilytamperedwithusingonlylow-techmethods.[3](Unfortunately,wedidnotevaluatetheBerlingerbottlethatisatthecenterofthecurrentaccusationsofRussiantampering.)Wealsofoundthatthedrugtestingprotocolstypicallyused,includingforinternationalathletes,haveserioussecurityproblems.[3]Theshockanddisbeliefattheideathattheso-called“tamper-proof”bottlescanbedefeatedisveryconsistentwithanumberofgeneralsecuritymaxims.Inparticular:______________________*ThisViewpointpaperwasnotpeerreviewed.


27

BackwardsMaxim:Mostpeoplewillassumeeverythingissecureuntilprovidedstrongevidencetothecontrary—exactlybackwardsfromareasonableapproach.NarcissistMaxim:Securitymanagers,bureaucrats,manufacturers,vendors,andend-userswillautomaticallyassumethat,iftheycannotreadilyconceiveofawaytodefeatasecurityproduct(orasecurityprogram),thennobodyelsecan.Remarkably,thiswillbetrueevenforpeoplewithlittleornoexperience,resources,oraptitudefordefeatingsecurity,andeveniftheyarespectacularlyunimaginative.MermaidMaxim:Themostcommonexcusefornotfixingsecurityvulnerabilitiesisthebeliefthattheysimplycan'texist.Comment:Often,theevidenceofferedthatnosecurityvulnerabilitiesexististhatthesecuritymanagerwhoexpressesthisviewcan’tpersonallyimaginehowtodefeatthesecurity.YouCould’veKnockedMeOverwithaFeatherMaxim1:Securitymanagers,bureaucrats,manufacturers,vendors,andenduserswillalwaysbeamazedathoweasilytheirsecurityproductsorprogramscanbedefeated.[Unfortunately,inmyexperienceasavulnerabilityassessor,thefollowingassociatedmaximequallyprovestobetrue:YouCould’veKnockedMeOverwithaFeatherMaxim2:Havingbeenamazedonce,securitymanagers,bureaucrats,manufacturers,vendors,andenduserswillbeequallyamazedthenexttimearound.]Andfinally:Tamper-ProofMaxim:Anyclaimbyasalespersonabouttheperformanceofaphysicalsecurityproduct(includingtheclaimofabsolutesecurity)willbebelievedbydefaultbythecustomer,whilewarningsaboutvulnerabilitiesorlimitationsbyvulnerabilityassessorsorotherswithfirst-handexperiencewillbemetwithincredulity.Comment:Aclassicexampleofthiscanbefoundintheall-to-commonsealcustomerswhomaintainthattheirsealscannotnotbespoofedbecausethemanufacturercallsthem“tamper-proof”.(MycompletesetofSecurityMaximscanfoundintheAppendixofthispaper.)Thesecondrecent,highlydisturbing“security”incidentthatsuggeststheabsenceofeffectiveVAswasthehorrifickillingofa2-yearoldchildbyanalligatorataWaltDisneyresortinOrlando,Florida.Nowalligatorsmightbemoreconventionallyconsideredasafetyissueratherthanasecurityissue,butsecurityisfundamentallyabouttryingtocountermaliciousactionsbyanefariousadversary.Alligatorswouldseemtofallintothatcategory,incontrasttootherforcesofnaturesuchashurricanes,tornados,andearthquakes—usuallythoughtofassafetythreats—thatdonot.RiskManagementhastoincludenotjustanunderstandingofthethreats,butalsoanunderstandingofthevulnerabilities.InthecaseoftheOrlandoincident,thealligator


28

threatmustcertainlyhavebeenhardtooverlook,evenbeforetheattack.AccordingtotheAssociatedPress,Floridahasabout1millionalligatorsandofficialsreceive16,000complaintsaboutalligatorseachyear.Lastyear,morethan7,500nuisancealligatorswererelocated.Since1973,23peoplehavebeenkilledbywildalligators.Shortlyaftertheattack,5alligatorswereremovedfromthelakewheretheattacktookplace,thoughnoneofthemwereinvolvedintheincident.TheWaltDisneyresortreportedlyhadnofencesandnosignswarningvisitorsaboutthealligatorsandhowtobehavesafelyaroundthem.Thisissurelyaseriousvulnerability.Orlandoisvisitedbylargenumbersofchildrenandadultsfromall50statesandmanydifferentcountrieswherepeoplemaynotbefamiliarwithalligatorsandtherisktheyrepresent.Hindsightisalways20-20afterasecurityincident,butitseemslikelythatevenarudimentaryvulnerabilityassessmentpriortotheattackwouldhaveeasilyidentifiedthelackofwarningsignsasaseriousproblem.Thereareanumberofreasonswhypeopleandorganizationsmayoverlookvulnerabilitiesandeffectivevulnerabilityassessments(VAs).Sometimes,threatsareconfusedwithvulnerabilities.[5]Often,variousactivitiesgetconfusedwithVAs.Examplesincludethreatassessments,securitysurveys,complianceauditing,faultoreventtreeanalysis,DesignBasisThreat,theCARVERMethod,penetrationtesting,performanceorreliabilitytesting,and“RedTeaming”.[6,7]Whilethesethingscancertainlybeuseful,theyarenotvulnerabilityassessments,andtheyareusuallynotveryeffectiveatfindingsecurityvulnerabilities.Anotherproblemmaybethat,formanyorganizations,threatsaremucheasierandmorecomfortabletocontemplateanddealwiththanvulnerabilities.[6,7]Manyorganizationshavethesekindsofproblems.Inmyview,however,themosttroublingexamplesofsuchorganizationsaretheNationalNuclearSecurityAdministration(NNSA)andtheInternationalAtomicEnergyAgency(IAEA).Bothoftheseorganizationsareresponsiblefornuclearsecurityandsafeguards,andbothareatsignificantriskforserioussecurityincidentslargelybecauseofafundamentalfailuretoacceptthatvulnerabilitiesexist,andtoproperlyaddressthem.IbelievetheyalsosufferfrommanyoftheothersecurityproblemscoveredintheSecurityMaximsgivenintheAppendix.Sowhatexactlyisagoodvulnerabilityassessment?Itisaholistic,creativeexerciseinthinkinglikethebadguys.Itinvolvesdiscoveringandperhapsdemonstratingvulnerabilities(weaknessesinthesecurity)thatmightbeexploitedbythebadguys.Itoftenalsoincludessuggestingpossiblecountermeasurestomitigatethevulnerabilities.AneffectiveVAisnotconstrainedbywishfulthinking,conflictsofinterest,departmentalpolitics,bureaucracy,lackofimagination,“shootingthemessenger”,politicalcorrectness,cognitivedissonance,phonyconstraints,excessiveformalism,orarbitraryboundariesbetweendisciplinesorhardware/softwaremodules.Itdoesnotignoretheinsiderthreat,focusonlyonfrontalforce-on-forceattacksbyoutsiders,orconsideronlypreviousattacks.


29

Itrecognizesthatallsecurityislocal,andthatcomplianceandsecurityarenotthesamething.Anditavoidsconfusingvulnerabilitieswiththreatsorwithfeaturesofthesecurityorthefacilityinquestion.ThepurposeofaVAistorealisticallyimproveyoursecurity.AVAisnotatestyou“pass”orawayofreassuringyourselfeverythingisfine.Itisnotasoftwareprogramyourun,amodelyou“crank”,anaudityouconduct,oranexerciseinfinding“gaps”(thoughthesethingsmaybehelpful).TheidealoutcomeofaVAisnotfindingzerovulnerabilities—indicatingtheVAisworthless—butratherfindingslotsofvulnerabilities,whicharealwayspresentinlargenumbers.ThisistrueevenafteragoodVAiscompletedandnewcountermeasureshavebeenimplemented.AVAmustbeundertakenbyimaginative,resourceful,independentpeoplewhogenuinelywanttofindproblemsandsuggestsolutions.Theremustbenoriskofretaliationforwhattheyfindandrecommend.AneffectiveVAisnotundertakenbysafetyexpertsusingsafetymodels(thoughhavingthevulnerabilityassessorsconferwithsafetypeopleisagoodidea).Itisnotaone-timething,butratheranexercisethatisdoneearly,iteratively,andoften.


30

References

1.RRRuizandMSchwirtz,“RussianInsiderSaysState-RunDopingFueledOlympicGold”,May12,2016,http://www.nytimes.com/2016/05/13/sports/russia-doping-sochi-olympics-2014.html?_r=0.

2.RRRuiz,“MysteryinSochiDopingCaseLieswithTamper-ProofBottle”,May13,2016,http://www.nytimes.com/2016/05/14/sports/russia-doping-bottles-olympics-2014.html?_r=0.3.RGJohnstonandJSWarner,“HowtoChooseandUseSeals”,ArmySustainment44(4),54-58(2012),http://www.almc.army.mil/alog/issues/JulAug12/browse.html4.RGJohnston,“Tamper-IndicatingSeals”,AmericanScientist94(6),515-523(2005),http://www.americanscientist.org/issues/feature/2006/6/tamper-indicating-seals.5.RGJohnston,ECMichaud,andJSWarner,“TheSecurityofUrineDrugTesting”,JournalofDrugIssues,39(4)1015-1028(2009),http://jod.sagepub.com/content/39/4/1015.full.pdf+html.6.RGJohnston,“BeingVulnerabletotheThreatofConfusingThreatswithVulnerabilities”,JournalofPhysicalSecurity4(2),30-342010.7.RGJohnston,“FocusingontheThreatstotheDetrimentoftheVulnerabilities:AVulnerabilityAssessor’sPerspective”,Chapter14,SApikyanandDDiamond(Editors),NuclearTerrorismandNationalPreparedness,NATOScienceforPeaceandSecuritySeriesB,Springer(2015).


31

Appendix:SecurityMaxims

Whilethesesecuritymaximsarenottheoremsorabsolutetruths,theyareinmyexperienceessentiallyvalid80-90%ofthetimeinphysicalsecurityandnuclearsafeguards.Theyprobablyalsohaveconsiderableapplicabilitytocybersecurity.Notethatsomeofthesemaximsareobviouslyhyperboleand/ortongue-in-cheek,butthatdoesnotnecessarilymakethemuntrue.Youignorethesemaximsatyourown(andothers’)peril,especiallytheonesinred!ArroganceMaxim:Theeaseofdefeatingasecuritydeviceorsystemisproportionaltohowconfident/arrogantthedesigner,manufacturer,oruserisaboutit,andtohowoftentheyusewordslike“impossible”or“tamper-proof”.Warner’s(ChineseProverb)Maxim:Thereisonlyonebeautifulbabyintheworld,andeverymotherhasit.Comment:Everybody’ssecurityorsecurityproductisbeautiful(tothem).BeAfraid,BeVeryAfraidMaxim:Ifyou’renotrunningscared,youhavebadsecurityorabadsecurityproduct.Comment:Fearisagoodvaccineagainstbotharroganceandignorance.SoWe’reInAgreementMaxim:Ifyou’rehappywithyoursecurity,soarethebadguys.IgnoranceisBlissMaxim:Theconfidencethatpeoplehaveinsecurityisinverselyproportionaltohowmuchtheyknowaboutit.Comment:Securitylookseasyifyou’venevertakenthetimetothinkcarefullyaboutit.InfinityMaxim:Thereareanunlimitednumberofsecurityvulnerabilitiesforagivensecuritydevice,system,orprogram,mostofwhichwillneverbediscovered(bythegoodguysorbadguys).Comment:Wethinkthisistruebecausewealwaysfindnewvulnerabilitieswhenwelookatthesamesecuritydevice,system,orprogramasecondorthirdtime,andbecausewealwaysfindvulnerabilitiesthatothersmiss,andviceversa.ThanksforNothin’Maxim:Avulnerabilityassessmentthatfindsnovulnerabilitiesoronlyafewisworthlessandwrong.WeakestLinkMaxim:Theefficacyofsecurityisdeterminedmorebywhatisdonewrongthanbywhatisdoneright.Comment:Becausethebadguystypicallyattackdeliberatelyandintelligently,notrandomly.SafetyMaxim:Applyingthemethodsofsafetytosecuritydoesn’tworkwell,butthereversemayhavesomemerit.Comment:Safetyistypicallyanalyzedasastochasticorfaulttreekindofproblem,whereasthebadguystypicallyattackdeliberatelyand


32

intelligently,notrandomly.Foradiscussionaboutusingsecuritymethodstoimprovesafety,seeRGJohnston,JournalofSafetyResearch35,245-248(2004).High-TechMaxim:Theamountofcarefulthinkingthathasgoneintoagivensecuritydevice,system,orprogramisinverselyproportionaltotheamountofhigh-technologyituses.Comment:Insecurity,high-technologyisoftentakenasalicensetostopthinkingcritically.DoctorWhoMaxim:“Themoresophisticatedthetechnology,themorevulnerableitistoprimitiveattack.Peopleoftenoverlooktheobvious.”Comment:ThisquoteisfromTomBakerasDoctorWhoinThePiratePlanet(1978).Low-TechMaxim:Low-techattackswork(evenagainsthigh-techdevicesandsystems).Comment:Sodon’tgettooworkedupabouthigh-techattacks.Schneier’sMaxim#1(Don’tWetYourPantsMaxim):Themoreexcitedpeopleareaboutagivensecuritytechnology,thelesstheyunderstand(1)thattechnologyand(2)theirownsecurityproblems.Comment:FromsecurityguruBruceSchneier.WhataDealMaxim:Theintroductionofhigh-techsecurityproductsintoyoursecurityprogramwill:(1)probablynotimproveyoursecurity,(2)almostcertainlyincreaseyouroverallsecuritycosts(thoughperhapsitwilldecreaseinventory,shipping,orotherbusinesscosts),and(3)probablyincreasesecuritylaborcosts(withthesometimesexceptionofCCTV).TooGoodMaxim:Ifagivensecurityproduct,technology,vendor,ortechniquessoundstoogoodtobetrue,itis.Anditprobablysucksbigtime.YouMustBeHighMaxim1:Anysecurityproductthatislabeled“highsecurity”isn’t.YouMustBeHighMaxim2:“HighSecurity”isacontext-andapplication-dependentvaluejudgment,notaproductattribute.That’sExtraMaxim:Anygivensecurityproductisunlikelytohavesignificantsecuritybuiltin,andwillthusberelativelyeasytodefeat.IJustWorkHereMaxim:Nosalesperson,engineer,orexecutiveofacompanythatsellsordesignssecurityproductsorservicesispreparedtoanswerasignificantquestionaboutvulnerabilities,andfewpotentialcustomerswilleveraskthemone.BobKnowsaGuyMaxim:Mostsecurityproductsandserviceswillbechosenbytheend-userbasedonpurchasepriceplushype,rumor,innuendo,hearsay,andgossip.HeJustSeemsSoKnowledgeableMaxim:Mostorganizationsgetthemajorityoftheirphysicalsecurityadvicefromsalespeople(whosomehowseemtorecommendtheirownproducts).


33

Tamper-ProofMaxim:Anyclaimbyasalespersonabouttheperformanceofaphysicalsecurityproduct(includingtheclaimofabsolutesecurity)willbebelievedbydefaultbythecustomer,whilewarningsaboutvulnerabilitiesorlimitationsbyvulnerabilityassessorsorotherswithfirst-handexperiencewillbemetwithincredulity.Comment:Aclassicexampleofthiscanbefoundintheall-to-commonsealcustomerswhomaintainthattheirsealscannotnotbespoofedbecausethemanufacturercallsthem“tamper-proof”.MagicLightInsidetheRefrigeratorMaxim:Deployingasimplemechanicaltamperswitchorlightsensortodetecttamperingwithadeviceorcontainerisapproximatelythesamethingashavingnotamperdetectionatall.KeyMaxim(Tobias’sMaxim#1):Thekeydoesnotunlockthelock.Comment:FromMarcWeberTobias.Thepointisthatthekeyactivatesamechanismthatunlocksthelock.Thebadguyscangodirectlytothatcentralunlockingmechanismtoattackthelock(ordootherthings)andentirelybypassthekeyorpins.Thismaximisrelatedtothe“IamSpartacusMaxim”belowandtoacorollary(alsofromMarcWeberTobias)that“electronsdon’topendoors,mechanicalmechanismsdo”.Tobias’sMaxim#2:Thingsarerarelywhattheyappeartobe.Comment:FromMarcWeberTobias.OrasYogiBerrasaid,“Nothingislikeitseems,buteverythingisexactlylikeitis.”There’sTheOpeningMaxim(Tobias’sMaxim#3):Anyopeninginasecurityproductcreatesavulnerability.Comment:FromMarcWeberTobias.Tobias’sMaxim#4:Youmustcarefullyexaminebothcriticalandnon-criticalcomponentstounderstandsecurity.Comment:FromMarcWeberTobias.ContrivedDuelism/DualismMaxim:Thepromotersofanysecurityproductmeanttodealwithanysufficientlychallengingsecurityproblemwillinvokealogicalfallacy(called“ContrivedDualism”)whereonly2alternativesarepresentedandwearepressuredintomakingachoice,eventhoughthereareactuallyotherpossibilities.Comment:Forexample:“Wefoundaconvictedfelon,gavehimacrowbar,andhecouldn’tmakethelockopenafterwhalingonitfor10minutes.Therefore,thelockissecure.”Anotherexample,“Nobodyinthecompanythatmanufacturersthisproductcanfigureouthowtodefeatit,andIbetyou,Mr./Ms.PotentialCustomer[neverhavingseenthisproductbeforeinyourlife]can’tthinkupaviableattackonthespot.Therefore,thisproductissecure.”FamiliarityMaxim:Anysecuritytechnologybecomesmorevulnerabletoattackswhenitbecomesmorewidelyused,andwhenithasbeenusedforalongerperiodoftime.AntiqueMaxim:Asecuritydevice,system,orprogramismostvulnerableneartheendofitslife.


34

Schneier’sMaxim#2(ControlFreaksMaxim):ControlwillusuallygetconfusedwithSecurity.Comment:FromsecurityguruBruceSchneier.EvenwhenControldoesn’tgetconfusedwithSecurity,lotsofpeopleandorganizationswilluseSecurityasanexcusetograbControl,e.g.,thePatriotAct.FatherKnowsBestMaxim:Theamountthat(non-security)seniormanagersinanyorganizationknowaboutsecurityisinverselyproportionalto(1)howeasytheythinksecurityis,and(2)howmuchtheywillmicro-managesecurityandinventarbitraryrules.BigHeadsMaxim:Thefartherupthechainofcommanda(non-security)managercanbefound,themorelikelyheorshethinksthat(1)theyunderstandsecurityand(2)securityiseasy.HuhMaxim:Whena(non-security)seniormanager,bureaucrat,orgovernmentofficialtalkspubliclyaboutsecurity,heorshewillusuallysaysomethingstupid,unrealistic,inaccurate,and/ornaïve.Voltaire’sMaxim:Theproblemwithcommonsenseisthatitisnotallthatcommon.Comment:Realworldsecurityblundersareoftenstunninglydumb.YippeeMaxim:Thereareeffective,simple,&low-costcounter-measures(atleastpartialcountermeasures)tomostvulnerabilities.ArgMaxim:Butusers,manufacturers,managers,&bureaucratswillbereluctanttoimplementthemforreasonsofinertia,pride,bureaucracy,fear,wishfulthinking,and/orcognitivedissonance.ShowMeMaxim:Noserioussecurityvulnerability,includingblatantlyobviousones,willbedealtwithuntilthereisoverwhelmingevidenceandwidespreadrecognitionthatadversarieshavealreadycatastrophicallyexploitedit.Inotherwords,“significantpsychological(orliteral)damageisrequiredbeforeanysignificantsecuritychangeswillbemade”.Could’ve,Would’ve,Should’veMaxim:SecurityManagerswilldismissaseriousvulnerabilityasofnoconsequenceifthereexistsasimplecountermeasure—eveniftheyhaven’tbotheredtoactuallyimplementthatcountermeasure.PayoffMaxim:Themoremoneythatcanbemadefromdefeatingatechnology,themoreattacks,attackers,andhackerswillappear.IHateYouMaxim1:Themoreagiventechnologyisdespisedordistrusted,themoreattacks,attackers,andhackerswillappear.IHateYouMaxim2:Themoreagiventechnologycauseshasslesorannoyssecuritypersonnel,thelesseffectiveitwillbe.


35

Colsch's(KISSorKitchenSink)Maxim:Securitywon'tworkiftherearetoomanydifferentsecuritymeasurestomanage,and/ortheyaretoocomplicatedorhardtouse.That’sColdMaxim:Anadversarywhoattackscold(withoutadvanceknowledgeorpreparation)isstupidandamateurish,oftentoomuchsotobearealthreat.Moreover,healmostneverhastoattackcold.Comment:Thusdon’toverlyfocusonthiskindofattack,oruseitasanexcusenottofixvulnerabilities.Shannon’s(Kerckhoffs’)Maxim:Theadversariesknowandunderstandthesecurityhardware,software,algorithms,andstrategiesbeingemployed.Comment:Thisisoneofthereasonswhyopensourcesecurity(e.g.,opensourcecryptography)makessense.CorollarytoShannon’sMaxim:Thus,“SecuritybyObscurity”,i.e.,securitybasedonkeepinglong-termsecrets,isnotagoodidea.Comment:Short-termsecretscancreateusefuluncertaintyforanadversary,suchastemporarypasswordsandunpredictableschedulesforguardrounds.Butrelyingonlongtermsecretsisnotsmart.Ironically—andsomewhatcounter-intuitively—securityisusuallymoreeffectivewhenitistransparent.Thisallowsformorediscussion,analysis,outsidereview,criticism,accountability,buy-in,andimprovement.GossipMaxim:Peopleandorganizationscan’tkeepsecrets.Comment:SeeManningandSnowden.HowInconvenient!Maxim:Convenienceistypicallynotcompatiblewithgoodsecurity,yet,paradoxically,securitythatisn’tconvenientusuallydoesn’tworkwell.PlugintotheFormulaMaxim:Engineersdon’tunderstandsecurity.Theytendtoworkinsolutionspace,notproblemspace.Theyrelyonconventionaldesignsandfocusonagoodexperiencefortheuserandmanufacturer,ratherthanabadexperienceforthebadguy.Theyviewnatureoreconomicsastheadversary,notpeople,andinstinctivelythinkaboutsystemsfailingstochastically,ratherthanduetodeliberate,intelligent,maliciousintent.Beingintelligentdoesnotautomaticallymakeyouthinklikeabadguy.(Magiciansandconartistsknowthattechnicalpeopleareoftentheeasiestpeopletoscambecausetheythinklogically!)Rohrbach’sMaxim:Nosecuritydevice,system,orprogramwilleverbeusedproperly(thewayitwasdesigned)allthetime.RohrbachWasAnOptimistMaxim:Nosecuritydevice,system,orprogramwilleverbeusedproperly.OxVotesfortheMoronMaxim:“ElectionSecurity”isanoxymoron.InsiderRiskMaxim:Mostorganizationswillignoreorseriouslyunderestimatethethreatfrominsiders.Comment:Maybefromacombinationofdenialthatwe’vehiredbadpeople,anda(justifiable)fearofhowharditistodealwiththeinsiderthreat?


36

WeHaveMettheEnemyandHeisUsMaxim:Theinsiderthreatfromcarelessorcomplacentemployeesandcontractorsexceedsthethreatfrommaliciousinsiders(thoughthelatterisnotnegligible.)Comment:Thisispartially,thoughnottotally,duetothefactthatcarelessorcomplacentinsidersoftenunintentionallyhelpnefariousoutsiders.Also,seeSchryver’sLawbelow.FairTheeWellMaxim:Employerswhotalkalotabouttreatingemployeesfairlytypicallytreatemployeesneitherfairlynor(moreimportantly)well,thusaggravatingtheinsiderthreatandemployeeturnover(whichisalsobadforsecurity).TheInmatesareHappyMaxim:Largeorganizationsandseniormanagerswillgotogreatlengthstodenyemployeedisgruntlement,seeitasaninsiderthreat,ordoanythingaboutit.Comment:Thereareawiderangeofwell-establishedtoolsformitigatingdisgruntlement.Mostarequiteinexpensive.TwoKindsMaxim1:Disengagedemployeesfallinto2categories,thosewhoquitandleave,andthosewhoquitandstay.TwoKindsMaxim2:Disgruntledemployeesfallinto2categories,thosewhoengageinretaliation&sabotage,andthosewhoarecurrentlycontemplatingit.BeefJerkyMaxim:Employeesdon'tleavejobs,theyleavejerks.TroublemakerMaxim:Theprobabilitythatasecurityprofessionalhasbeenmarginalizedbyhisorherorganizationisproportionaltohis/herskill,creativity,knowledge,competence,andeagernesstoprovideeffectivesecurity.Feynman’sMaxim:Anorganizationwillfearanddespiseloyalvulnerabilityassessorsandotherswhopointoutvulnerabilitiesorsuggestsecuritychangesmorethanmaliciousadversaries.Comment:Anentertainingexampleofthiscommonphenomenoncanbefoundin“SurelyYouareJoking,Mr.Feynman!”,publishedbyW.W.Norton,1997.DuringtheManhattanProject,whenphysicistRichardFeynmanpointedoutphysicalsecurityvulnerabilities,hewasbannedfromthefacility,ratherthanhavingthevulnerabilitydealtwith(whichwouldhavebeeneasy).IrresponsibilityMaxim:It’lloftenbeconsidered“irresponsible”topointoutsecurityvulnerabilities(includingthetheoreticalpossibilitythattheymightexist),butyou’llrarelybecalledirresponsibleforignoringorcoveringthemup.BackwardsMaxim:Mostpeoplewillassumeeverythingissecureuntilprovidedstrongevidencetothecontrary—exactlybackwardsfromareasonableapproach.NarcissistMaxim:Securitymanagers,bureaucrats,manufacturers,vendors,andend-userswillautomaticallyassumethat,iftheycannotreadilyconceiveofawaytodefeatasecurityproduct(orasecurityprogram),thennobodyelsecan.Remarkably,thiswillbe


37

trueevenforpeoplewithlittleornoexperience,resources,oraptitudefordefeatingsecurity,andeveniftheyarespectacularlyunimaginative.YouCould’veKnockedMeOverwithaFeatherMaxim1:Securitymanagers,bureaucrats,manufacturers,vendors,andenduserswillalwaysbeamazedathoweasilytheirsecurityproductsorprogramscanbedefeated.YouCould’veKnockedMeOverwithaFeatherMaxim2:Havingbeenamazedonce,securitymanagers,bureaucrats,manufacturers,vendors,andenduserswillbeequallyamazedthenexttimearound.That’sWhyTheyPayUstheBigBucksMaxim:Securityisnighnearimpossible.It’sextremelydifficulttostopadeterminedadversary.Oftenthebestyoucandoisdiscouragehim,andmaybeminimizetheconsequenceswhenhedoesattack,and/ormaximizeyourorganization’sabilitytobounceback(resiliency).ThrowtheBumsOutMaxim:Anorganizationthatfireshigh-levelsecuritymanagerswhenthereisamajorsecurityincident,orseverelydisciplinesorfireslow-levelsecuritypersonnelwhenthereisaminorincident,willneverhavegoodsecurity.ScapegoatMaxim:Themainpurposeofanofficialinquiryafteraserioussecurityincidentistofindsomebodytoblame,nottofixtheproblems.Eeny,Meeny,MinyMaxim:Thescapegoat(s)chosenafteraserioussecurityincidentwilltendtobechosenfromamongthese3groups:thosewhohadnothingtodowiththeincident,thosewholackedtheauthorityandresourcestopreventit,andthosewhosewarningsaboutthepossibilityofthisorrelatedincidentswentunheeded.APriest,aMinister,andaRabbiMaxim:Peoplelackingimagination,skepticism,andasenseofhumorshouldnotworkinthesecurityfield.ThinkingOutsidetheBunMaxim:Anysecuritymanagerwhocannotthinkofanewplacetohavelunchoverseesapoorsecurityprogram.AbsenceofEvidenceAsEvidenceofAbsenceMaxim:Thefactthatanygivenunimaginativebureaucratorsecuritymanagercannotimmediatelyenvisionaviableattackscenariowillbetakenasproofthattherearenovulnerabilities.That’sNotMyDepartmentMaxim:Anyemployeewho’sjobprimarilyentailscheckingonsecuritycompliancewillhavenointerestin(orunderstandingof)security,willnotpermitittointerferewithhis/herjob,andwilllookatyoulikeyouarecrazyifyouraiseanyactualsecurityconcerns.DeerintheHeadlights(I’mWithStupid)Maxim:Anysufficientlyadvancedcowardice,fear,arrogance,denial,ignorance,laziness,orbureaucraticintransigenceisindistinguishablefromstupidity.


38

CowboyMaxim:Youcanleadajackasstosecurity,butyoucan'tmakehimthink.AwarenessTraining:Mostsecurityawarenesstrainingturnsemployeesagainstsecurityand/orhypocriticallyrepresentstheorganizationashavingagoodsecurityculturewhenitdoesnot.SeeI(JustWorkHere)Maxim1:(YoursecurityawarenessorCItrainingnotwithstanding)anygivenCounter-Intelligence(CI)Officerdoesn’twanttohearaboutyourCIconcerns,andwilldonothingaboutthemiftheyareforceduponhim/her.SeeI(JustWorkHere)Maxim2:AnybureaucratsufficientlyhighupintheSecurityorCounter-IntelligenceDepartmentdoesn’tgetCounterIntelligence(CI).Mr.SpockMaxim:Theeffectivenessofasecuritydevice,system,orprogramisinverselyproportionaltohowangryorupsetpeoplegetabouttheideathattheremightbevulnerabilities.DoubleEdgeSwordMaxim:Withinafewmonthsofitsavailability,newtechnologyhelpsthebadguysatleastasmuchasithelpsthegoodguys.MissionCreepMaxim:Anygivendevice,system,orprogramthatisdesignedforinventorywillveryquicklycometobeviewed—quiteincorrectly—asasecuritydevice,system,orprogram.Comment:Thisisasurerecipeforlousysecurity.ExamplesincludeRFIDs,GPS,andmanyso-callednuclearMaterialControlandAccountability(MC&A)programs.We’llWorryAboutitLaterMaxim:Effectivesecurityisdifficultenoughwhenyoudesignitinfromfirstprinciples.Italmostneverworkstoretrofititin,ortoslapsecurityonatthelastminute,especiallyontoinventorytechnology.SomebodyMust’veThoughtItThroughMaxim:Themoreimportantthesecurityapplication,thelesscarefulandcriticalthoughtandresearchhasgoneintoit.Comment:Research-basedpracticeisrareinimportantsecurityapplications.Forexample,whilethesecurityofcandyandsodavendingmachineshasbeencarefullyanalyzedandresearched,thesecurityofnuclearmaterialshasnot.Perhapsthisisbecausewhenwehaveaveryimportantsecurityapplication,committees,bureaucrats,powergrabbers,businessmanagers,andlinear/plodding/unimaginativethinkerstakeover.That’sEntertainmentMaxim:CeremonialSecurity(a.k.a.“SecurityTheater”)willusuallybeconfusedwithRealSecurity;evenwhenitisnot,itwillbefavoredoverRealSecurity.Comment:Thus,afterSeptember11,airportscreenersconfiscatedpassengers’fingernailclippers,apparentlyunderthetheorythatahijackermightthreatenthepilotwithabadmanicure.Atthesametime,therewasnosignificantscreeningofthecargoandluggageloadedontopassengerairplanes.


39

AssSetsMaxim:Mostsecurityprogramsfocusonprotectingthewrongassets.Comment:Oftenthefocusisexcessivelyonphysicalassets,notmoreimportantassetssuchaspeople,intellectualproperty,tradesecrets,goodwill,anorganization’sreputation,customerandvendorprivacy,etc.VulnerabilitiesTrumpThreatsMaxim:Ifyouknowthevulnerabilities(weaknesses),you’vegotashotatunderstandingthethreats(theprobabilitythattheweaknesseswillbeexploited,how,andbywhom).Plusyoumightevenbeokifyougetthethreatswrong(whichyouprobablywill).Butifyoufocusonlyonthethreats,you’relikelytobeintrouble.Comment:It’shardtopredictthethreatsaccurately,butthreats(realorimagined)aregreatforscaringanorganizationintoaction.It’snotsohardtofindthevulnerabilitiesifyoureallywantto,butitisusuallydifficulttogetanybodytodoanythingaboutthem.VulnerabilitiesaretheThreatMaxim:Security(andemergencyresponse)typicallyfailsnotbecausethethreatsweremisunderstood,butbecausethevulnerabilitieswerenotrecognizedand/ornotmitigated.PinkTeamingMaxim:Mostso-called“vulnerabilityassessments”areactuallythreatassessments,“redteaming”,orsomeotherexercise(likeauditing,designbasisthreat,orperformance/reliabilitytesting)notwelldesignedtouncoverawiderangeofsecurityvulnerabilities.Comment:Thisismuchmorethecaseinphysicalsecuritythanincybersecurity.Originally,“redteaming”meantdoingavulnerabilityassessment,butitrecentyears,ithascometomeanaone-off,oftenrigged“test”ofsecuritywhichmayhavesomevalue,butisnotthesamethingasacomprehensivevulnerabilityassessmentlookingatawiderangeofvulnerabilities.RiskyBusinessMaxim:ManyoftheactivitiesinvolvedindevelopingorevaluatingsecuritymeasureswillonlyhaveapartialorsuperficialconnectiontotrueRiskManagement.MermaidMaxim:Themostcommonexcusefornotfixingsecurityvulnerabilitiesisthebeliefthattheysimplycan'texist.Comment:Often,theevidenceofferedthatnosecurityvulnerabilitiesexististhatthesecuritymanagerwhoexpressesthisviewcan’tpersonallyimaginehowtodefeatthesecurity.OnionMaxim:Thesecondmostcommonexcusefornotfixingsecurityvulnerabilitiesisthat"wehavemanylayersofsecurity",i.e.,werelyon"SecurityinDepth".Comment:SecurityinDepthhasitsuses,butitshouldnotbethekneejerkresponsetodifficultsecuritychallenges,noranexcusetostopthinkingandimprovingsecurity,asitoftenis.HopelessMaxim:Thethirdmostcommonexcusefornotfixingsecurityvulnerabilitiesisthat"allsecuritydevices,systems,andprogramscanbedefeated".Comment:ThismaximistypicallyexpressedbythesamepersonwhoinitiallyinvokedtheMermaidMaxim,whenhe/sheisforcedtoacknowledgethatthevulnerabilitiesactuallyexistbecausethey’vebeendemonstratedinhis/herface.Acommonvariantofthehopelessmaximis“sure,wecould


40

implementthatinexpensivecountermeasuresothattheaveragepersononthestreetcouldn’tdefeatoursecuritywithabobbypin,butthenthebadguyswouldjustcomeupwithanother,moresophisticatedattack”.TakesOnetoKnowOneMaxim:Thefourthmostcommonexcusefornotfixingsecurityvulnerabilitiesisthat"ouradversariesaretoostupidand/orunresourcefultofigurethatout."Comment:Neverunderestimateyouradversaries,ortheextenttowhichpeoplewillgotodefeatsecurity.Depth,WhatDepth?Maxim:Foranygivensecurityprogram,theamountofcritical,skeptical,creative,andintelligentthinkingthathasbeenundertakenisinverselyproportionaltohowstronglythestrategyof"SecurityinDepth"(layeredsecurity)isembraced.WaylayeredSecurityMaxim:Layeredsecuritywillfailstupidly.Comment:See,forexample,the82-yearoldnunpenetratingtheY-12nuclearfacility,ortheWhiteHousefencejumper.Redundancy/OrthogonalityMaxim:Whendifferentsecuritymeasuresarethoughtofasredundantor“backups”,theytypicallyarenot.Comment:Redundancyisoftenmistakenlyassumedbecausethedisparatefunctionsofthetwosecuritymeasuresaren’tcarefullythoughtthrough.Tabor’sMaxim#1(NarcissismMaxim):Securityisanillusionaryidealcreatedbypeoplewhohaveanovervaluedsenseoftheirownselfworth.Comment:FromDerekTabor.Thismaximiscynicalevenbyourdepressingstandards—thoughthatdoesn’tmakeitwrong.Tabor’sMaxim#2(CostMaxim):Securityispracticallyachievedbymakingthecostofobtainingordamaginganassethigherthanthevalueoftheassetitself.Comment:FromDerekTabor.Notethat“cost”isn’tnecessarilymeasuredintermsofdollars.Buffett’sMaxim:Youshouldonlyusesecurityhardware,software,andstrategiesyouunderstand.Comment:ThisisanalogoustoWarrenBuffett’sadviceonhowtoinvest,butitappliesequallywelltosecurity.Whileit’slittlemorethancommonsense,thisadviceisroutinelyignoredbysecuritymanagers.JustWalkItOffMaxim:Mostorganizationswillbecomesofocusedonprevention(whichisverydifficultatbest),thattheyfailtoadequatelyplanformitigatingattacks,andforrecoveringwhenattacksoccur.ThursdayMaxim:Organizationsandsecuritymanagerswilltendtoautomaticallyinvokeirrationalorfancifulreasonsforclaimingthattheyareimmunetoanypostulatedordemonstratedattack.Comment:SonamedbecauseiftheattackorvulnerabilitywasdemonstratedonaTuesday,itwon’tbeviewedasapplicableonThursday.OurfavoriteexampleofthismaximiswhenwemadeavideoshowinghowtouseGPSspoofingtohijackatruckthatusesGPStracking.Inthatvideo,theGPSantennawasshownattachedtothe


41

sideofthetrucksothatitcouldbeeasilyseenonthevideo.Afterviewingthevideo,onesecuritymanagersaiditwasallveryinteresting,butnotrelevantfortheiroperationsbecausetheirtruckshadtheantennaontheroof.Galileo’sMaxim:Themoreimportanttheassetsbeingguarded,orthemorevulnerablethesecurityprogram,thelesswillingitssecuritymanagerswillbetohearaboutvulnerabilities.Comment:Thenameofthismaximcomesfromthe1633InquisitionwhereChurchofficialsrefusedtolookintoGalileo’stelescopeoutoffearofwhattheymightsee.Michener’sMaxim:Weareneverpreparedforwhatweexpect.Comment:FromaquotebyauthorJamesMichener(1907-1997).Asanexample,considerHurricaneKatrina.BlackOpsMaxim:IffacilitysecurityistheresponsibilityoftheOperationsDepartment,thensecuritywillbegivenaboutasmuchimportanceandcarefulanalysisassnowremovalortakingoutthetrash.Accountability1Maxim:Organizationsthattalkalotaboutholdingpeopleaccountableforsecurityaretalkingaboutmindlessretaliation,notasophisticatedapproachtomotivatinggoodsecuritypracticesbytryingtounderstandhumanandorganizationalpsychology,andtherealitiesoftheworkplace.Accountability2Maxim:Organizationsthattalkalotaboutholdingpeopleaccountableforsecuritywillneverhavegoodsecurity.Comment:Becauseifallyoucandoisthreatenpeople,ratherthandevelopingandmotivatinggoodsecuritypractices,youwillnotgetgoodresultsinthelongterm.Blind-SidedMaxim:Organizationswillusuallybetotallyunpreparedforthesecurityimplicationsofnewtechnology,andthefirstimpulsewillbetotrytomindlesslybanit.Comment:Thusincreasingthecynicismregular(non-security)employeeshavetowardssecurity.BettertobeLuckythanGoodMaxim:Mostofthetimewhensecurityappearstobeworking,it’sbecausenoadversaryiscurrentlypreparedtoattack.SuccessMaxim:Mostsecurityprograms“succeed”(inthesenseoftheirbeingnoapparentmajorsecurityincidents)notontheirmeritsbutforoneofthesereasons:(1)theattackwassurreptitiousandhasnotyetbeendetected,(2)theattackwascoveredupbyinsidersafraidofretaliationandisnotyetwidelyknown,(3)thebadguysarecurrentlyineptbutthatwillchange,or(4)therearecurrentlynobadguysinterestedinexploitingthevulnerabilities,eitherbecauseothertargetsaremoretemptingorbecausebadguysareactuallyfairlyrare.RigormortisMaxim:Thegreatertheamountofrigorclaimedorimpliedforagivensecurityanalysis,vulnerabilityassessment,riskmanagementexercise,orsecuritydesign,thelesscareful,clever,critical,imaginative,andrealisticthoughthasgoneintoit.


42

CatastrophicMaxim:Mostorganizationsmistakenlythinkaboutandprepareforrare,catastrophicattacks(iftheydosoatall)inthesamewayasforminorsecurityincidents.IamSpartacusMaxim:Mostvulnerabilityorriskassessmentswillletthegoodguys(andtheexistingsecurityinfrastructure,hardware,andstrategies)definetheproblem,incontrasttoreal-worldsecurityapplicationswherethebadguysgetto.Comment:Namedforthecatch-phrasefromthe1960StanleyKubrickfilmSpartacus.WhentheRomanscapturedSpartacus’army,theydemandedheidentifyhimself,butallhissoldiersclaimedtobeSpartacus.Nothistoricallyaccurate,butveryHollywood!Band-AidMaxim:Effectivesecurityisdifficultenoughwhendesignedinfromscratch.Itcanrarelybeaddedonattheend,orasanafterthought.Comment:Soplansecurityattheearliestdesignstagesofasecuritydevice,system,orprogram.MethodistMaxim:Whilevulnerabilitiesdeterminethemethodsofattack,mostvulnerabilityorriskassessmentswillactasifthereverseweretrue.RigtheRigMaxim:Anysupposedly“realistic”testofsecurityisrigged.Tucker'sMaxim#1(EarlyBird&WormMaxim):Anadversaryismostvulnerabletodetectionanddisruptionjustpriortoanattack.Comment:Soseizetheinitiativeintheadversary'splanningstages.FromCraigTucker.Tucker'sMaxim#2(TosstheDiceMaxim):Whenthebulletsstartflying,it'sacrapshootandnobodycanbesurehowit'llturnout.Comment:Sodon'tletitgettothatpoint.FromCraigTucker.Tucker'sMaxim#3(Failure=SuccessMaxim):Ifyou'renotfailingwhenyou'retrainingortestingyoursecurity,you'renotlearninganything.Comment:FromCraigTucker.Gunslingers’Maxim:Anygovernmentsecurityprogramwillmistakenlyfocusmoreondealingwithforce-on-forceattacksandbruteforcemethodsthanonmorelikelyattacksinvolvinginsiderthreatsandsubtle,surreptitiousapproaches.Fool-On-FoolMaxim:Theincompetenceofanysecurityprogramisproportionaltothedegreeofobsessionwithideathatthemajorthreatisasmallbandofstupid,unpreparedadversarieswhomindlesslyattackstraighton,usingforceandzeroinsiders.Comment:Somehow,thenumberofenvisionedattackersisalwayslessthanthenumberthesecurityprogramcanpurportedlyneutralize.3DMaxim:Theincompetenceofanysecurityprogramisproportionaltohowstronglythemantraof“Deter,Detect,Delay”isembraced.Comment:Thisphilosophy,whiletheoreticallyhavingsomemerit,is(asapracticalmatter)stronglycorrelatedwithunimaginative,non-proactivesecurity.


43

D(OU)BTMaxim:IfyouthinkDesignBasisThreat(DBT)issomethingtotestyoursecurityagainst,thenyoudon’tunderstandDBTandyoudon’tunderstandyoursecurityapplication.Comment:Ifdoneproperly—whichitoftenisnot—DBTisforpurposesofallocatingsecurityresourcesbasedonprobabilisticanalyses,notjudgingsecurityeffectiveness.Moreover,ifthethreatprobabilitiesintheDBTanalysisareallessentially1,theanalysisisdeeplyflawed.It’sTooQuietMaxim:“Badguysattack,andgoodguysreact”isnotaviablesecuritystrategy.Comment:Itisnecessarytobebothproactiveindefense,andtopreemptivelyunderminethebadguysinoffense.Nietzsche’sMaxim:It’snotwinningifthegoodguyshavetoadopttheunenlightened,illegal,ormorallyreprehensibletacticsofthebadguys.Comment:"Whoeverfightsmonstersshouldseetoitthatintheprocesshedoesnotbecomeamonster.”FriedrichNietzsche(1844-1900),BeyondGoodandEvil.Patton’sMaxim:Wheneverybodyisthinkingalikeaboutsecurity,thennobodyisthinking.Comment:AdaptedfromabroadermaximbyGeneralGeorgeS.Patton(1885-1945).Kafka’sMaxim:Thepeoplewhowritesecurityrulesandregulationsdon’tunderstand(1)whattheyaredoing,or(2)howtheirpoliciesdriveactualsecuritybehaviorsandmisbehaviors.30%Maxim:Inanylargeorganization,atleast30%ofthesecurityrules,policies,andproceduresarepointless,absurd,ineffective,naïve,outofdate,wasteful,distracting,orone-size-fits-allnonsense,ortheymayevenactivelyunderminesecurity(bycreatingcynicismaboutsecurity,orbydrivingbadbehaviorsthatwerenotanticipated).BytheBookMaxim:Fullcompliancewithsecurityrulesandregulationsisnotcompatiblewithoptimalsecurity.Comment:Becausesecurityrulesandregulationsaretypicallydumbandunrealistic(atleastpartially).Moreover,theyoftenleadtoover-confidence,wastetimeandresources,createunhelpfuldistractions,engendercynicismaboutsecurity,andencourageemployeestofindworkaroundstogettheirjobdone—thusmakingsecurityan“usvs.them”game.AwDitzMaxim:Mindlesslyauditingifbureaucraticsecurityrulesarebeingfollowedwillusuallygetconfusedwithameaningfulsecurityreview,oravulnerabilityassessment.CyborgMaxim:Organizationsandmanagerswhoautomaticallythink“cyber”or“computer”whensomebodysays“security”,don’thavegoodsecurity(includinggoodcyberorcomputersecurity).CaffeineMaxim:Onaday-to-daybasis,securityismostlyaboutpayingattention.AnyDonutsLeft?Maxim:Butpayingattentionisverydifficult.


44

Wolfe’sMaxim:Ifyoudon’tfinditoften,youoftendon’tfindit.Comment:Perceptualblindnessisahugeproblemforsecurityofficers.HeWho’sNameMustNeverBeSpokenMaxim:Securityprogramsandprofessionalswhodon’ttalkalotabout“theadversary”orthe“badguys”aren’tpreparedforthemanddon’thavegoodsecurity.Comment:FromHarryPotter.Mahbubani’sMaxim:Organizationsandsecuritymanagerswhocannotenvisionsecurityfailures,willnotbeabletoavoidthem.Comment:NamedforscholaranddiplomatKishoreMahbubani.Hemeanttoapplythisgeneralprincipletopolitics,diplomacy,andpublicpolicy,butitisalsoapplicabletosecurity.Hats&SunglassesOffintheBankMaxim:SecurityrulesthatonlythegoodguysfollowareprobablySecurityTheater.Merton’sMaxim:Thebadguysdon’tobeyoursecuritypolicies.Comment:ThismaximiscourtesyofKevinSweere.ItisnamedafterThomasMerton(1915-1968),atheologicalwriterandphilosopher.Sweere’sMaxim(Merton’sCorollary):It’sworsethanthat.Thebadguyswillanalyzeoursecuritypoliciesandregulationstofindexploitablevulnerabilities,includingthosenotenvisionedbythegoodguys.WallStreetMaxim:Everygoodideaiseventuallyabadidea.DumbesticSafeguardsMaxim:DomesticNuclearSafeguardswillinevitablygetconfusedwithInternationalNuclearSafeguards(treatymonitoring),includingbypeopleandorganizationsclaimingtofullyappreciatethatthetwoapplicationsareverydifferent.Comment:DomesticNuclearSafeguardsisatypicalsecurityapplication,justforveryimportantassets.WithInternationalNuclearSafeguards,incontrast,thebadguysowntheassetsandfacilitiesofinterest,andtheyfullyunderstandthesurveillance,monitoring,andsafeguardsequipmentbeingused(andmayevenbuild,control,and/orinstallit).ItisespeciallycommontooverlookorignorethefactthattheadversaryinInternationalNuclearSafeguardsisacountry,withnational-toworld-classresourcesavailabletodefeatthesafeguards.[Note:It’ssometimesmisleadingcalled“InternationalNuclearSafeguards”whenonecountryororganization,orgroupofcountriestrytohelpanationimproveitsowndomesticnuclearsafeguards,butthisisstilljustDomesticNuclearSafeguardsforthecountryofinterest.]Werther’sMaxim:Thesecurityofencrypted(ordigitallyauthenticated)informationhaslesstodowiththesophisticationofthecipherthanwiththecompetence,intelligence,diligence,andloyaltyofthepeoplewhohandleit.Comment:FromaquotebyWaldemarWertherthat“Thesecurityofacipherlieslesswiththeclevernessoftheinventorthanwiththestupidityofthemenwhoareusingit.”


45

Tobias’sMaxim#5:Encryptionislargelyirrelevant.Comment:FromMarcWeberTobias.RedHerringMaxim:Atsomepointinanychallengingsecurityapplication,somebody(ornearlyeverybody)willproposeordeploymoreorlesspointlessencryption,hashes,ordataauthenticationalongwiththeoftenincorrectandlargelyirrelevantstatementthat“thecipher[orhashorauthenticationalgorithm]cannotbebroken”.Comment:Formanysecurityapplications,peopleforgetthat“it’snomoredifficulttocopyencrypteddatathanitistocopyunencrypteddata.”Productanti-counterfeitingtagsandInternationalNuclearSafeguardsaretwosecurityapplicationshighlysusceptibletofuzzythinkingaboutencryptionanddataauthentication.Withanti-counterfeitingtags,itisnoharderfortheproductcounterfeiterstomakecopiesofencrypteddatathanitistomakecopiesofunencrypteddata.Theydon’thavetounderstandtheencryptionschemeortheencrypteddatatocopyit,sothatthedegreeofdifficultyinbreakingtheencryption(usuallyoverstated)isirrelevant.Indeed,iftherewasatechnologythatcouldpreventingcloningofencrypteddata(orhashesordigitalauthentication),thenthatsametechnologycouldbeusedtopreventcloningoftheunencryptedoriginaldata,inwhichcasetheencryptionhasnosignificantroletoplay.(Sometimesonemightwishtosendsecureinformationtocounterfeithuntersinthefield,butthesecurityfeaturesandencryptiontypicallyemployedoncellphonesorcomputersisgoodenough.)Whatmakesnosenseisputtingencrypteddataonaproduct,withorwithoutitincludingencrypteddataaboutanattachedanti-counterfeitingtag;thebadguyscaneasilyclonetheencrypteddatawithouthavingtounderstandit.Whenthereisananti-counterfeitingtagonaproduct,onlythedegreeofdifficultyofcloningitisrelevant,nottheencryptionscheme.Theuseofunique,one-of-a-kindtags(i.e.,complexitytags)doesnotaltertherelativeunimportanceoftheencryptionasananti-counterfeitingmeasure.Sometimespeoplepromotingencryptionforproductanti-counterfeitingvaguelyhaveinmindanoverlycomplicated(andusuallyincomplete/flawed)formofavirtualnumerictoken(“call-backstrategy”).([SeeRGJohnston,“AnAnti-CounterfeitingStrategyUsingNumericTokens”,InternationalJournalofPharmaceuticalMedicine19,163-171(2005).]EncryptionisalsooftenthoughtofasasilverbulletforInternationalNuclearSafeguards,partiallyforreasonsgivenintheDumbesticSafeguardsMaxim.Thefactisthatencryptionordataauthenticationisoflittlesecurityvalueiftheadversarycaneasilybreakintotheequipmentholdingthesecretkeywithoutdetection(asisusuallythecase),ifthereisaseriousinsiderthreatthatputsthesecretencryptionkeyatrisk(whichisprettymuchalwaysthecase),and/orifthesurveillanceormonitoringequipmentcontainingthesecretkeyisdesigned,controlled,inspected,maintained,stored,observed,oroperatedbytheadversary(asistypicallythecaseinInternationalNuclearSafeguards).Anti-SilverBulletMaxim:Ifyouhavepoorsecuritybeforeyoudeployencryptionordataauthentication,youwillhavepoorsecurityafter.Comment:Sometimes,you’llhaveworsesecuritybecausetheencryption/authenticationprovidesafalsesenseofsecurity,orcausesdistractions.


46

It’sStandardMaxim:Asageneralruleofthumb,abouttwo-thirdsofsecurity“standards”or“certifications”(thoughnot“guidelines”)makesecurityworse.AliceSpringsMaxim:Organizationswillbeloathetofactorinlocal,on-the-grounddetailsindecidingwhatsecurityresourcestoassigntoagivenlocationorasset.One-size-fits-allwillbegreatlypreferredbecauseitrequireslessthinking.Comment:ThismaximisnamedafterthestandardreassurancegiventoworriedtouristsinAustraliathat“therearen’talotofsharkattacksinAliceSprings”.FollowtheMoneyMaxim:Securityattentionandresourceswillusuallybedoledoutinproportiontotheabsolutedollarvalueoftheassetsbeingprotected,not(asitshouldbe)inproportiontotherisk.Oh,theLovelyColors!Maxim:High-levelcorporateexecutiveswillbeconvincedtheorganizationhasgoodsecurityiftheyareshownlotsofdetailed,colorfulgraphs,spreadsheets,andcalendarsconcerningsecuritypolicies,planning,documentation,andtraining.TheMBAMaxim:Athighlevelsinanorganization,lotsofdetailedworkonsecuritypolicies,planning,documentation,scheduling,andcharts/graphs/spreadsheetswillbepreferredoveractuallythinkingcarefullyandcriticallyaboutsecurity,oraskingcriticalquestions.FallacyofPrecisionMaxim1:Ifsecuritymanagersorbureaucratsassignanumberorarankingtosomeaspectofsecurity(e.g.,probabilityofattack,economicconsequencesofthelossofanasset,etc.)theywillincorrectlythinktheyreallyunderstandthataspectandtherelatedsecurityissues.FallacyofPrecisionMaxim2:Iftherearenbitsintheattributemeasurementofagivenobject,thensecurityenduserscanbeeasily(wrongly)convincedthat2-nis:(1)theprobabilitythatasimilarobjectmatchesthisone,and/or(2)theprobabilitythatsomebodycanfooltheattributereader,includingby"counterfeiting"ormimickingtheobjectsothatithasessentiallythesameattributemeasurement.Comment:Endusersofsecurityproducts(especiallybiometricsortagreaders)willoftenbefooledbythisfallacy.Whyisitafallacy?Amongotherreasons:Becausethebitsarenotuncorrelated,becausetheydon’tallhaverelevancetothesecurityorauthenticityproblem(maybenoneofthemdo!),becausethedegreeofcorrelationbetweensimilarobjectshasnotbeeninputtedintotheproblem,becausethetype1andtype2errorsandtradeoffshaven’tbeencarefullymeasuredoranalyzed,becausetheeaseordifficultyofcounterfeitinginvolvesmanyoutsidefactorsnotincludedhere,andbecausetheeaseordifficultyofotherwisespoofingthereaderhasnotbeenconsidered.ApplesandOrangesMaxim:Anyonetryingtosellyouacounterfeitdetector,willmakeabigshowofhowdifferentobjectshavedifferentsignatures(attributemeasurements),butwillignore,oversimplify,ormisrepresentthefarmoreimportantquestionofhowharditistofoolthereader,includingby"counterfeiting"ormimickingtheobjectsothatithas


47

essentiallythesamesignature.Comment:Manufacturers,vendors,andpromotersofbiometricsproductsandtagreadersareveryfondofdoingthis.ISecondThatMotionMaxim:“SecuritybyCommittee”isanoxymoron.____________________________________________________________________________Thefollowingaregeneral“laws”thatalsoapplytosecurity:Fudd’sLaw:Ifyoupushonsomethinghardenough,itwillfallover.FirstLawofRevision:Informationnecessitatingachangeofdesignwillbeconveyedtothedesignersafter—andonlyafter—theplansarecomplete.Hellrung’sLaw:Ifyouwaitlongenough,itwillgoaway.Grelb’sLaw:Butifitwasbad,itwillcomeback.Brien’sFirstLaw:Atsometimeinthelifecycleofvirtuallyeveryorganization,itsabilitytosucceedinspiteofitselfrunsout.Bucy’sLaw:Nothingiseveraccomplishedbyareasonableperson.Stewart’sLaw:Itiseasiertogetforgivenessthanpermission.Horngren’sLaw:TheRealWorldisaspecialcase.Glazer’sLaw:Ifitsays“onesizefitsall”,thenitdoesn’tfitanybody.Gold’sLaw:Iftheshoefits,it’sugly.Firestone’sLaw:ChickenLittleonlyhastoberightonce.Shaw’sLaw:Buildasystemthatevenafoolcanuse,andonlyafoolwillwanttouseit.Byrne’sLaw:Inanyelectricalcircuit,appliancesandwiringwillburnouttoprotectthefuses.Ginsberg’sLawsfromthebeatpoetAllenGinsberg(1926-1997):TheFirstLawofThermodynamics:"Youcan'twin."TheSecondLawofThermodynamics:"Youcan'tbreakeven."TheThirdLawofThermodynamics:"Youcan'tquit."Putt’sLaw:Technologyisdominatedbytwotypesofpeople:thosewhounderstandwhattheydonotmanage,andthosewhomanagewhattheydonotunderstand.


48

Clarke'sFirstLaw:Whenadistinguishedbutelderlyscientiststatesthatsomethingispossible,heisalmostcertainlyright.Whenhestatesthatsomethingisimpossible,heisprobablywrong.Hawkin’sLaw:Progressdoesnotconsistofreplacingatheorythatiswrongwithonethatisright.Itconsistsofreplacingatheorythatiswrongwithonethatismoresubtlywrong.Schryver’sLaw:Sufficientlyadvancedincompetenceisindistinguishablefrommalice.Kernighan'sLaw:Debuggingistwiceashardaswritingthesoftwareinthefirstplace.Therefore,ifyouwritethesoftwareascleverlyaspossible,youare(bydefinition)notsmartenoughtodebugit.

LifeCycleofaGoodIdeaLaw:Ifyouhaveagoodidea:firsttheyignoreyou,thentheyridiculeyou,thentheyclaimtohavethoughtofitfirst,thenit'sdeclaredtobeobvious.

NotInventedHereLaw:Ifitwasn'tinventedhere,it'sabadidea(unlesswecanstealtheideaandmakeitlooklikewethoughtofitfirst).

GlassHousesLaw:Thepeoplemostobsessedwiththeworkqualityofotherswilltypicallybeamongthemostincompetent,deadwoodscrew-upsinthewholeorganization.

Tacitus’sLaw:Toshowresentmentatareproachistoacknowledgethatonemayhavedeservedit.Comment:FromTacitus(55-117AD).

Sallinger’sLaw:Allmoronshateitwhenyoucallthemamoron.Comment:FromJ.D.Sallinger(1919-2010).

avoiding shock and awe

Engineering