Adam Caudill

Security Leader, Researcher, Developer, Writer, & Photographer

Jumping through hoops…

There are two ways to implement security:

  • Real security, based on empirical evidence and analysis.
  • Checklist security, based on the latest checklist somebody says is important.

When security is based on real evidence and analysis, policies are enacted based on real gain and measured against the business impact. Risks are considered, and the costs versus benefits are well understood so that policy choices are based on real, useful information.

On the other hand there’s security by checklist. Costs aren’t calculated, risks aren’t understood, business impacts are ignored. All that matters is that somebody gets to check a box on a form; there’s no understanding, no logic, and likely no real benefits involved.

The point of security policies isn’t to show off how many hoops you’ve built that people have to jump through when doing their jobs. Yet, when a company accepts a security by checklist mentality, this is exactly what they are doing. They spend their time building hoops that they can show off later while ignoring the threats they are supposed to be addressing.

Recently, my laptop died, the new laptop was setup with DLP, or digital loss prevention software. The main purpose of the software is to prevent me and anyone in my group from being able to use removable drives – so that we can’t load them up with private information of course.

This was done to check a box on a form, at no point did anyone actually think about the bigger picture, what the threat was, and how it should be addressed:

  • I have a laptop and work remotely.
  • When I disconnect from the VPN, I have unrestricted access to the internet.
  • I routinely work with sensitive data, so it’s not uncommon for it to be on my computer.
  • I could easily encrypt a file full of private data, and upload it to the cloud after disconnecting from the VPN, and nobody would know.

So, by blocking the use of removable drives, they made it much harder for me to recover from a failing laptop, and added nothing to security. Blocking thumb drives won’t stop a person from stealing data when they have other ways they could do the same thing. All it did was waste time and the company’s money.

They built a new hoop to show off, nothing more.

Such policies don’t help anyone – they don’t improve security, they certainly don’t prevent theft of data, and at the same time, they do have a negative business impact. Lost productivity, increased frustration, and in the end higher turn-over from employees that are fed up from the meaningless work. There’s no winner here – except the person that wants to show off all of the hoops they have.

Security based on anything other than empirical evidence and legitimate analysis is just theater and nothing more.

Adam Caudill

Related Posts

  • Where’s the service?

    When I buy something, I expect support. When I buy something expensive, I expect really good support. That may be asking too much, but that’s just how I think. Now, when I contact the vendor for support, I expect to talk to somebody that understands the product. When I bring up an issue that gets me on a conference call with a Vice President and a Project Manager, I expect them to give me accurate data.

  • phpMyID: Fixing Abandoned OSS Software

    phpMyID is a simple solution for those that want to run their own OpenID endpoint – the problem is that its author stopped maintaining the project in 2008. Despite this, there’s still quite a few people that use it, because it’s the easiest single-user OpenID option available. Unfortunately, the author didn’t follow best practices when building the software, and as a result multiple security flaws were introduced. In 2008, a XSS was identified and never fixed (CVE-2008-4730), in the years since then it seems the software has been below the radar.

  • OPSEC, The NSA, and You

    It’s been two weeks since news broke about the NSA collecting massive amounts of data from Verizon; and likely everybody else. There’s also PRISM – whatever the hell that is – it seems there’s no agreement on that, and I doubt there will be anytime soon. What really matters here though, is we have proof that people are watching – and if it’s happening in the US, it’s probably happening everywhere else.

  • A Secure Mentality

    My employer recently completed the final audit to confirm ISO 17799 compliance, the process was a real eye opener. In a process that should have been fairly short & painless, the ordeal lasted close to a year, with me joining the company just before the second, and largest audit. That made my first few weeks rather interesting, to say the least. While 17799 does have some complex requirements, most of the issues found had more to do with the overall mentality than with the true technical issues involved.

  • On The Ethics of BadUSB

    Last Friday, Brandon Wilson and I gave a talk on BadUSB at DerbyCon – I wrote some about it yesterday. Yesterday, Wired published an article on the talk, kicking off several others – only the authors of the Wired and Threatpost articles contacted us for input. There has been some questions raised as to the responsibility of releasing the code – so I want to take a few minutes to talk about what we released, why, and what the risks actually are.