Security

IT Security: Maxims for the ages

Steve Gibson, in his latest Security Now podcast, mentions one person's quest to enlighten the rest of us about managing security. To me, his words ring true. What do you think?

Roger G. Johnston Ph.D., leads the Vulnerability Assessment Team (VAT), Nuclear Engineering Division at Argonne National Laboratory. The team is tasked with conducting research on physical security devices, systems, and programs:

"The VAT has worked extensively in the areas of product anti-counterfeiting, tamper and intrusion detection, cargo security, nuclear safeguards, and the human factors associated with security using the tools of industrial and organizational psychology."

Problems resurface

Through his tenure at Los Alamos and Argonne, Dr. Johnston has accrued considerable experience finding and resolving security issues. In so doing, he realized something:

"Being a vulnerability assessor for physical security makes one pretty cynical. Or maybe you need to be cynical to see security problems. Or maybe both are true. Anyway, these maxims were developed partially out of frustration at seeing the same kinds of problems over and over again."

Dr. Johnston's quest

So, Dr. Johnston created his list of security maxims. I personally haven't heard the term "security maxim" before, so I want to make sure we agree to its meaning:

  • Maxim: An expression of a general truth or principle. A principle or rule of conduct.

Dr. Johnston further qualifies the definition by admitting his security maxims are not theorems or the absolute truth:

"Security maxims are, in our experience, essentially valid 80-90 percent of the time in physical security and nuclear safeguards."

Initially, I didn't realize Dr. Johnston's focus was on physical security. Simply because his maxims meld nicely into the world of IT security. That's my opinion at least, let me know if you agree or not.

Favorite security maxims

The following are my choices of the many security maxims that Dr. Johnston has accumulated:

  • Infinity Maxim: There are an unlimited number of security vulnerabilities for a given security device, system, or program, most of which will never be discovered (by the good guys or bad guys).

Dr. Johnston comments:

"We think this, because we always find new vulnerabilities when we look at the same security device, system, or program a second or third time, and because we always find vulnerabilities that others miss, and vice versa."

  • Thanks for Nothin' Maxim: A vulnerability assessment that finds no vulnerabilities or only a few is worthless and wrong.
  • Arrogance Maxim: The ease of defeating a security device or system is proportional to how confident/arrogant the designer, manufacturer, or user is about it, and to how often they use words like "impossible" or "tamper-proof".
  • So We're In Agreement Maxim: If you're happy with your security, so are the bad guys.

I am glad to see that Dr. Johnston has a sense of humor.

  • Ignorance is Bliss Maxim: The confidence that people have in security is inversely proportional to how much they know about it.

Dr. Johnston's comment:

"Security looks easy if you've never taken the time to think carefully about it."

  • Weakest-Link Maxim: The efficacy of security is determined more by what is done wrong than by what is done right.

This maxim is true all of the time. Dr. Johnston comments:

"Because the bad guys typically attack deliberately and intelligently, not randomly."

The next few infer Dr. Johnston's experience with upper management:

  • Father Knows Best Maxim: The amount that (non-security) senior managers in any organization know about security is inversely proportional to (1) how easy they think security is, and (2) how much they will micro-manage security and invent arbitrary rules.
  • Big-Heads Maxim: The farther up the chain of command a (non-security) manager can be found, the more likely he or she thinks that (1) they understand security and (2) security is easy.
  • Huh Maxim: When a (non-security) senior manager, bureaucrat, or government official talks publicly about security, he or she will usually say something stupid, unrealistic, inaccurate, and/or naïve.

My personal favorite:

  • Voltaire's Maxim: The problem with common sense is that it is not all that common.

The following maxims explain why security issues are slow to be resolved:

  • Show-Me Maxim: No serious security vulnerability, including blatantly obvious ones, will be dealt with until there is overwhelming evidence and widespread recognition that adversaries have already catastrophically exploited it. In other words, "significant psychological (or literal) damage is required before any significant security changes will be made".
  • Irresponsibility Maxim: It'll often be considered "irresponsible" to point out security vulnerabilities (including the theoretical possibility that they might exist), but you'll rarely be called irresponsible for ignoring or covering them up.
  • Backwards Maxim: Most people will assume everything is secure until provided strong evidence to the contrary-exactly backwards from a reasonable approach.
Final thoughts

Dr. Johnston has plenty more security maxims. If you find a one that I should have mentioned, please point it out.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

36 comments
Ocie3
Ocie3

reflect one of the fundamental rules that are taught in all schools of business: "If it ain't broke, don't fix it." A fundamental fact is that "anything which increases cost directly decreases profit". In the same vein, one of the principles of finance is "A dollar today is better than a dollar tomorrow." In my observation and experience, all three of these are in practice often contrary to creating and implementing effective security measures, even when the cost/benefit ratio is favorable. No manager wants to spend money unless they must, because evaluations of their competence -- and their compensation as managers -- depends upon whether the enterprise produces as much profit as possible, as quickly as possible. The Irresponsibility Maxim is right on the mark, as is the Scapegoat Maxim: "The main purpose of an official inquiry after a serious security incident is to find somebody to blame, not to fix the problems." That said, I am not confident that the following maxim is substantially true: "Yippee Maxim: There are effective, simple, & low-cost counter-measures (at least partial countermeasures) to most vulnerabilities." What we really need are measures to detect whether our security measures are, in fact, effective. Whether our security measures are sufficient, probably only experience will reveal.

cbader
cbader

...could be applied to current work environment and to my superiors.

johnfranks999
johnfranks999

I like David Scott's maxims too (author of "I.T. WARS: Managing the Business-Technology Weave in the New Millennium"). Such as, "In the realm of risk, unmanaged possibilities become probabilities." And, "Capturing technology's best fit and use is too often like making a jigsaw puzzle - except several people have their hands on the pieces, and the pieces change size and color as you go along." (Google "IT WARS").

Michael Kassner
Michael Kassner

If you enjoyed Dr. Johnston's security maxims, you may also like his book: "Security Sound Bites: Important Ideas About Security from Smart-Ass, Dumb-Ass, and Kick-Ass Quotations" http://www.amzn.com/1448643740

santeewelding
santeewelding

Has, for sure, stepped back from it all and given us the benefit of his experience and his ruminations. In passive voice.

Michael Jay
Michael Jay

Fudd's Law: If you push on something hard enough, it will fall over.

Michael Kassner
Michael Kassner

An experienced Ph.D. at Argonne National Laboratory has some good advice about managing security.

Michael Kassner
Michael Kassner

I enjoyed reading the maxims and could associate with most of them.

Michael Kassner
Michael Kassner

It seems that the professor has significant real-life experience and is gifted in being able to put it to words.

Michael Kassner
Michael Kassner

Does seem to have a handle on the current work environment. I would love to find out if working for the government makes a difference.

Michael Kassner
Michael Kassner

Those are good truisms. I certainly will check out Mr. Scott's work.

JCitizen
JCitizen

Sound like 75% of the people I see on ZDNet discussions, the third one, is what I would do to them if they worked for me. Which probably wouldn't be for long. Having once been in the nuclear artillery, I can see much about the way it really was in his wisdom!

Michael Kassner
Michael Kassner

For some of us old farts, it doesn't take much pushing.

boxfiddler
boxfiddler

[i]Anything that can go wrong, will go wrong.[/i]

seanferd
seanferd

Billions for defense, but not one cent for defense, if it doesn't involve blowing $#!+ up. A very excellent find indeed, Michael.

pgit
pgit

My wife and I just went through these, she applying them to her 'reality' and me of course to IT. Another great find, it's a pleasure pondering your posts. (not to mention informative, instructive, productive...)

Michael Jay
Michael Jay

has noticed that Sidney Fudd, is actually a fictional character. He came up with this law when he accidentally pushed his wife down the kitchen stairs.

Ocie3
Ocie3

the original version that became known among engineers as Murphy's Law was the conclusion of an accident investigation that was conducted by US Army Air Corps Colonel Aloysius J. Murphy: "If it is possible for someone to do a job wrong, then someone will do it that way." This became the inspiration for designing a process or a piece of equipment to be "foolproof" or "idiot-proof". For example, it might be possible to insert a bolt or pin into or through a hole or slot in only one direction. It won't go in, or fit, if it is inserted any other way. Another example is batteries which have a "snap" component on one end. You can't put them in backward, because they won't fit, so the positive pole of the battery will always be correctly snapped to the positive wire in the circuit, and the negative end of the battery will be correctly touching the plate that is connected to the negative wire of the circuit. Any fool can install the batteries correctly. No idiot can do it wrong. This perspective is often applied in the context of designing safe equipment and processes, but it is unclear whether and how it can be applied to security [i]per se[/i].

Michael Kassner
Michael Kassner

I almost think that most of Dr. Johnston's maxims have a bit of Murphy's Law in them.

Michael Kassner
Michael Kassner

From an intelligent person that works for the government.

Michael Kassner
Michael Kassner

I got his book and am looking forward to reading more of the same.

ericcase
ericcase

Just like, I do not have to out run the bear, I just have to out run the next guy; security countermeasures do not have to be prefect or infinite, they just have to be better than the next guys.

Michael Kassner
Michael Kassner

That is why security will always be a catch-up game.

Ocie3
Ocie3

and you are right. But how can you ever really know whether any security measures are sufficient and effective? You might not know when one has failed. According to Dr. Johnson's Infinity Maxim, security measures cannot be perfect, but I respectfully submit that they can be enough. No one has unlimited resources and/or an unlimited span of time in which to accomplish a goal(s). You have to do your best with what you have, and/or with what you can get, while there is an opportunity to do it. Both the bad guys and the good guys are faced with this set of constraints. So we can only do what is feasible, a subset of what is or may be possible.

Michael Kassner
Michael Kassner

Working for two highly sensitive labs that have had security issues over the past few years can not help his moral.

JCitizen
JCitizen

Anyway, I always thought it went exceedingly well with sushi. :p

pgit
pgit

Is that anything like how the original drummer for Spinal Tap died?

Michael Kassner
Michael Kassner

Did you go to that favorite place of yours? Hope you will be OK in the AM.

Michael Kassner
Michael Kassner

For people like that. I have been known to do some really dumb things.

Murfski-19971052791951115876031193613182
Murfski-19971052791951115876031193613182

The story about Col (or Cpt, or Lt) Murphy is apocryphal. The only thing we know for sure abut Murphy's Law is that it was not propounded by Murphy, but by another man with the same name.

Neon Samurai
Neon Samurai

bah.. I've seen more than one battery with spring pressing on the wrong end of the cylinder. It doesn't take away from your comment; was just the thing that came to my sake fueled evening.

Editor's Picks