Wednesday, 29 August 2012

Security and the common man

A friend of mine posted a link to this article today: The Importance of Security Engineering. It's an interesting appeal for the creation of a more formal approach to security, even the creation of a proper security profession, although the author isn't quite clear how about the right way to achieve that. His point wasn't really that - it's just that most people don't understand security - probably security of anything, but especially information systems. We know this to be true since most people don't understand the basic elements of the systems let alone the security aspects.

Security is generally about complexity and constraints, being represented as encryption and policies in IT. Unfortunately people don't like either of these things and therefore try and do without them for as long as possible: let's face it, security is a hassle. But not having any will be even worse as it will end in disaster, either falling foul of some exploit or, possibly worse, the law. Increasingly credit card issuers are doing their best to push responsibility back on users and governments are regulating access and management of user data. Protection is needed as an individual and a corporation.

Complexity has been at the root of locks since they were first invented, trying to keep one step ahead of the pickers. However locks have a second, almost magical effect: they imply security without necessarily actually offering it. A massive lock on the back of a castle door didn't just make it more difficult to open, it made the owner feel better protected and probably put off the softer marauders. A modern-day example of this is the pathetic little things that luggage manufacturers insist on providing with their products. One slight tug and they break, but they provide a degree of comfort to the owner. A lock symbol provides a sense of comfort to users, but sadly nothing to deter attackers who are likely to be a long way away.

Policies are all about doing things properly and protecting sensitive assets, the electronic equivalent of not leaving your wallet on a cafĂ© table or making sure that documents are safely locked up. The mathematical complexity of encryption has nothing on the nefarious complexity of assessing potential exploits and both are definitely in the realm of specialists. Most policies are like airport security theatre and only protect against threats that have already been tried. Serious protection comes from thinking like a black hat and exploring each and every avenue from which your systems could be attacked.

There are specialists who will do this for you, but even they haven't always thought through all the myriad ways that mobiles can be added to the mix. Nobody has. So we have to attempt to instill in users a sense of precaution, even an element of fear, to ensure that mobile end points are at least handled properly. We're just at the beginning of this process and there's a lot of FUD, especially from vendors with weak solutions to nebulous problems. You should be assessing how you are protected, whether a consumer or an enterprise mobility manager; a little investment will give a big return.

No comments:

Post a comment