Adam Caudill

Security Leader, Researcher, Developer, Writer, & Photographer

Jumping through hoops…

There are two ways to implement security:

  • Real security, based on empirical evidence and analysis.
  • Checklist security, based on the latest checklist somebody says is important.

When security is based on real evidence and analysis, policies are enacted based on real gain and measured against the business impact. Risks are considered, and the costs versus benefits are well understood so that policy choices are based on real, useful information.

On the other hand there’s security by checklist. Costs aren’t calculated, risks aren’t understood, business impacts are ignored. All that matters is that somebody gets to check a box on a form; there’s no understanding, no logic, and likely no real benefits involved.

The point of security policies isn’t to show off how many hoops you’ve built that people have to jump through when doing their jobs. Yet, when a company accepts a security by checklist mentality, this is exactly what they are doing. They spend their time building hoops that they can show off later while ignoring the threats they are supposed to be addressing.

Recently, my laptop died, the new laptop was setup with DLP, or digital loss prevention software. The main purpose of the software is to prevent me and anyone in my group from being able to use removable drives – so that we can’t load them up with private information of course.

This was done to check a box on a form, at no point did anyone actually think about the bigger picture, what the threat was, and how it should be addressed:

  • I have a laptop and work remotely.
  • When I disconnect from the VPN, I have unrestricted access to the internet.
  • I routinely work with sensitive data, so it’s not uncommon for it to be on my computer.
  • I could easily encrypt a file full of private data, and upload it to the cloud after disconnecting from the VPN, and nobody would know.

So, by blocking the use of removable drives, they made it much harder for me to recover from a failing laptop, and added nothing to security. Blocking thumb drives won’t stop a person from stealing data when they have other ways they could do the same thing. All it did was waste time and the company’s money.

They built a new hoop to show off, nothing more.

Such policies don’t help anyone – they don’t improve security, they certainly don’t prevent theft of data, and at the same time, they do have a negative business impact. Lost productivity, increased frustration, and in the end higher turn-over from employees that are fed up from the meaningless work. There’s no winner here – except the person that wants to show off all of the hoops they have.

Security based on anything other than empirical evidence and legitimate analysis is just theater and nothing more.

Adam Caudill

Related Posts

  • On The Ethics of BadUSB

    Last Friday, Brandon Wilson and I gave a talk on BadUSB at DerbyCon – I wrote some about it yesterday. Yesterday, Wired published an article on the talk, kicking off several others – only the authors of the Wired and Threatpost articles contacted us for input. There has been some questions raised as to the responsibility of releasing the code – so I want to take a few minutes to talk about what we released, why, and what the risks actually are.

  • phpMyID: Fixing Abandoned OSS Software

    phpMyID is a simple solution for those that want to run their own OpenID endpoint – the problem is that its author stopped maintaining the project in 2008. Despite this, there’s still quite a few people that use it, because it’s the easiest single-user OpenID option available. Unfortunately, the author didn’t follow best practices when building the software, and as a result multiple security flaws were introduced. In 2008, a XSS was identified and never fixed (CVE-2008-4730), in the years since then it seems the software has been below the radar.

  • Security By Buzzword – Why I don’t support Ensafer

    Update: I had a call with Ensafer’s CTO, Trygve Hardersen to discuss the issues I brought up, and what they can do about it. First, they updated the site so that downloads are now over HTTPS. He stated that the infrastructure that powers their service is separate from the website, and everything is over HTTPS. They are working on making documentation available, and hope to have the first documents available soon.

  • Developers, Developers, Developers

    Note: This was written in 2012, but not published at the time. The point is still valid, perhaps moreso than ever and deserves to be made publicly. The content has been updated as appropriate, though the core of this article remains intact from the 2012 draft. I would like to note that this doesn’t apply to every environment, there are some where developers are very knowledgeable about security, and write code with minimal issues – my current employer happens to be one of those rare & exciting places.

  • Looking for value in EV Certificates

    When you are looking for TLS (SSL) certificates, there are three different types available, and vary widely by price and level of effort required to acquire them. Which one you choose impacts how your certificate is treated by browsers; the question for today is, are EV certificates worth the money? To answer this, we need to understand what the differences are just what you are getting for your money. The Three Options For many, the choice of certificate type has more to do with price than type – and for that matter, not that many people even understand that there are real differences in the types of certificates that a certificate authority (CA) can issue.