Soylent Security

It's People!

Schneier says IT security exists because products and services aren't naturally secure.

Lindstrom says hogwash.

I'm feeling a bit reckless this morning, so I'll stand up and say the reason IT security exists is because of people. It exists because there are people in this world who flagrantly disobey both law and common decency in an effort to sabotage, steal, and otherwise manipulate both people and systems. They're just bad.

Bruce says in his blog:

The primary reason the IT security industry exists is because IT products and services aren't naturally secure. If computers were already secure against viruses, there wouldn't be any need for antivirus products. If bad network traffic couldn't be used to attack computers, no one would bother buying a firewall. If there were no more buffer overflows, no one would have to buy products to protect against their effects. If the IT products we purchased were secure out of the box, we wouldn't have to spend billions every year making them secure. [emphasis added]

If people followed the laws and rules, there'd be no need for firewalls or application firewalls or any other of the myriad technologies we purchase and deploy to secure our systems. "Bad network traffic" isn't a naturally occuring phenomenon, it's generated by people with bad intentions. Viruses don't just "appear" in the ether, they're created and propagated by people.

Blaming the victim is not an excuse for bad choices on the part of people.

Officer: Why'd you attack XYZ's Web server?

Attacker: It was asking for it

Officer: How is that?

Attacker: Open ports on the firewall, loose APIs. Advertised itself in search engines. How could I resist?

Law enforcement doesn't exist because our homes or persons are naturally insecure, it exists because there are people out there who will ignore the law to achieve whatever goals they may have. It exists for the same reason IT security exists, because an intelligent attacker will eventually find a way around whatever security you employ if they try long and hard enough. In the middle ages men built motte and bailey castles out of wood to stop people from attacking their persons and important possessions. People torched the walls and walked on through, so men built thicker walls from more resistant materials like stone and higher towers from which to defend their holdings. So people built siege engines to knock down the walls and learned to mine to collapse the defensive mechanisms and open an avenue for attack.   

Build a better defense, and someone will build a way to get around (or destroy) that defense mechanism. There is no such thing as 100% secure any more than there is 100% certainty or 100% uptime. It's just not possible. That's why we use the term "5 9's", because we can't get to 100% anything.

It's people, not a lack of inherent or natural security, that is the basis for the existence of the IT security industry. And as people aren't going away any time soon, I'm guessing IT security isn't going anywhere either.

Should we do a better job of securing systems in the first place? Yes, of course we should. Should we continue to improve the security of products? Yes, of course we should. We should because we must, because of people. We should certainly try obtain 5 9's of security just as we attempt to provide 5 9's of availability and uptime.

But we should also stop "blaming the victim" and look at the real reason that security breaches occur: people, and we should take that into consideration before we blame the victim for being attacked in the first place. Like self-defense classes and personal body armor we can - and should - employ IT security systems as the first, second, and even third line of defense against attackers, but we also have to be realistic and understand that empirical, historical data says that as long as people are involved we will never find a way to be 100% secure, we can only reach 99.999%. And it isn't the fault of those who wrote the systems or built the defenses that are at fault when an attacker exploits that 0.001%, it's the fault of the attacker for trying in the first place.

Imbibing: Coffee

Technorati tags: F5, security, Schneier, Lindstrom, MacVittie
Published May 04, 2007
Version 1.0

Was this article helpful?