When you fly, you are subjected to a lot of requirements when passing through a security checkpoint. You have to take off your belt and jacket, remove everything from your pockets, you can’t carry in liquids more than 3 ounces and on and on. When someone, many years ago, devised a way to carry a bomb in their shoes, we were all required to take our shoes off when we passed through security. Of course, there are ways around these things by getting a background check and giving up your fingerprints. However, even after doing all that, you still have to pass through metal detectors and you still can’t bring in liquids. Despite all these restrictions, people still manage to get knives, liquids and other supposedly banned items through security.
When I was in college, many years ago, I had a job doing physical security. What I knew then was that being visible, so everyone was aware there was a security presence who would step in if it was necessary, was often adequate to keep incidents from happening. Does either the Transportation Security Administration (TSA) or my own presence completely keep bad things from happening? Of course not. In security circles, what the TSA does is called security theater. It provides the illusion of security. This sounds derogatory and dismissive. The fact of the matter is that just having that presence keeps random people from doing stupid things on a spur of the moment. Will it keep determined people out? No, but that’s not really the point anyway.
While the illusion of security can often have benefits, there are also a lot of downsides. Where it is especially an issue is when it comes to information security. Too many times when I did security consulting, I was asked by clients to provide a security assessment that was primarily focused on making them compliant with some set of requirements, whether for payment card processing, health care or maybe regulations or laws. Often, the most sensitive or vulnerable parts of the organization were out of scope. There is rarely enough time to do a thorough analysis of an entire network. Getting a report indicating that very little was found can provide some executives and other leadership the belief that they can’t be compromised.
This is where the illusion of security is very dangerous. Anytime someone gives you the sense that you are safe from attack or compromise, you are potentially in an even more dangerous situation. If you get a good “health check” from a security assessment or penetration test, take it for what it is — a snapshot with a very limited view.
These tests are not the only place where you can start to get the illusion that you are safe and protected. Vendors often sell elaborate, end-to-end solutions. Without any intention to impugn such vendors, what you are buying into there is the lens of a single company. Everyone has a bias because everyone sees things differently. Getting multiple views into what’s happening in your organization from the standpoint of information security can be very valuable. However, that’s not to say more is necessarily better. More information can be a good way to blind yourself because it takes so much time and effort to sift through all the data you have acquired.
Perhaps even worse than a single vendor, end-to-end solution, though, is having multiple vendors whose products can’t communicate effectively. You may have the latest and greatest in information security technology but if the different pieces can’t play nicely together, you’re in a far worse position because you believe all the components will “do the right thing.” Modern attacks, though, are complex and far-ranging. You need to be able to correlate events across multiple devices to get a broader sense of an attacker’s actions. If you aren’t getting all the details from all the devices, you’re going to miss when the bad guys get in.
This sounds bleak, for sure. It’s complicated. There aren’t perfect answers to these challenges. The important thing is to bring it back to basics — understand what the problems you have are, what resources you want to protect, and what adversaries you are most concerned about. All of this should be done rationally and realistically and not motivated by fear, uncertainty or doubt. It’s better to make decisions from a position of knowledge and awareness.