From: Harvey Newstrom (mail@HarveyNewstrom.com)
Date: Sun Jul 07 2002 - 10:23:23 MDT
On Sunday, July 7, 2002, at 11:21 am, Spudboy100@aol.com wrote:
> For some of us, troubled by the attack on the USA on 9-11, being
> dippy-hippy nice-guy invites aggression from people who have no
> sympathy in that direction. Who see "openess" and easy-going,
> "niceness" as an invitation to victimize.
Ack! This is a common false assumption made by non-security
professionals. "Openess" and "niceness" are not the opposite of
security!
First of all, security by obscurity doesn't work. I know that microsoft
argues that open source software is dangerous and that only proprietary
secrets can be safe. But security professionals know that secrets never
last. Too many people need to know the secrets, and the information
always leaks out. Obscurity is hiding your key under your doormat and
hoping nobody guesses where it is. This is secret, but it is not
secure. Anybody can get in if they guess right. Real security is
having a deadbolt and an alarm system. Everybody knows right where your
door lock is, and sees the sign that you have an alarm system, but still
can't get in. That is security. Studies have shown that openness
actually increases security. The more people who review a situation,
the more likely they are to discover its flaws.
Second of all, "niceness" does not decrease security either. Being rude
to unknown people on the off chance they might be terrorists doesn't
make them less effective. True security comes from a position of
strength. You can be polite all day while explaining why access is
denied. I know of no studies that suggests rudeness or reducing the
customer experience increases security. In fact, security can often
impose extra burdens on customers that they don't understand or expect.
This requires extra niceness, extra patience, some education and some
explanation. Anybody designing security procedures will have to design
the education or PR aspects of it, or it will be rejected by users. I
would argue that failing to design "niceness" into a security system
indicates a design flaw and brings the whole system into question.
In summary, as a security professional, I view "openess" and "niceness"
as requirements for any security system, not impediments to them. This
is not just my personal viewpoint, but seem born out by studies,
standards, and industry organizations that try to develop security
architectures and operational procedures.
-- Harvey Newstrom, CISSP <www.HarveyNewstrom.com> Principal Security Consultant <www.Newstaff.com>
This archive was generated by hypermail 2.1.5 : Sat Nov 02 2002 - 09:15:12 MST