My favorite security quotes from Bruce Schneier.
Security, when it is working, is often invisible not only to those being protected, but to those who plan, implement, and monitor security systems.
Every one of us, every day of our lives, makes security trade-offs. Even when we’re not thinking of threats or dangers or attacks, we live almost our entire lives making judgments about security, assessments of security, assumptions regarding security, and choices about security.
Security is both a feeling and a reality. We’re secure when we feel protected from harm, free from dangers, and safe from attack. In this way, security is merely a state of mind. But there’s the reality of security as well, a reality that has nothing to do with how we feel. We’re secure when we actually are protected.
Security is always a trade-off, and to ignore or deny those trade-offs is to risk losing basic freedoms and ways of life we now take for granted.
Perfect security is impractical because the costs are simply too high; we would have to treat the whole world as a threatening place and all the people in it as evildoers, when in fact the real threats are not nearly so pervasive. We’d have to create an extremely oppressive regime. But freedom is security. Openness is security. If you want proof, look around you. The world’s liberal democracies are the safest societies on the planet. Countries like the former Soviet Union, the former East Germany, [former] Iraq, North Korea, and China tried to implement large-scale security systems across their entire populaces. Would anyone willingly trade the dangerous openness of the U.S. or most countries in Europe for the security of a police state or totalitarian government?
All security is, in someway, about prevention.
Security is about preventing adverse consequences from the intentional and unwarranted actions of others.
Protecting assets from unintentional actions is safety, not security.
Technology is generally an enabler, allowing people to do things. Security is the opposite: It tries to prevent something from happening, or prevent people from from doing something, in the face of someone actively trying to defeat it.
Five step process to analyze and evaluate security systems, technologies, and practices.
1. What assets are you trying to protect?
2. What are the risks to these assets?
3. How well does the security solution mitigate those risks?
4. What other risks does the security solution cause?
5. What costs and trade-offs does the security solution impose?
A threat is a potential way an attacker can attack a system.
Risk[: to] take into consideration both the likelihood of the threat and the seriousness of a successful attack.
Risk management is about playing the odds. It’s figuring out which attacks are worth worrying about and which ones can be ignored.
Threats determine the risks, and the risks determine the countermeasures.
Insurance ... allows a store to take its risk and, for a fee, pass it off to someone else. It allows the store to convert a variable-cost risk into a fixed-cost expense.
People underestimate risks they willingly take and overestimate risks in situations they can’t control.
In America, automobiles cause 40,000 deaths every year; that’s the equivalent of a full 727 crashing every day and a half - 225 total in a year. As a society, we effectively say that the risk of dying in a car crash is worth the benefits of driving around town. But, if those same 40,000 people died each year in fiery 727 crashes instead of automobile accidents, you can be sure there would be significant changes in the air passengers systems.
People make security decisions based on perceived risks instead of actual risks.
More people are killed every year by pigs than sharks, which shows you how good we are at evaluating risk.
Security systems are never value-neutral; they move power in varying degrees to one set of players from another.
Sometimes it seems those in charge - of governments, of companies - need to do something in reaction to a security problem. Most people are comforted by action, whether good or bad.
At the most basic level, a system is a collection of simpler components that interact to form a greater whole. A machine is is a simple thing, even though it may have different pieces. A hammer is a machine; a table saw is a system. A pulley is a machine; an elevator is a system. A tomahawk is a machine; a Tomahawk cruise missile is a complex system.
The only reliable way to measure security is to examine how it fails - in the context of the assets and functionality it is protecting.
If you can think about security systems in terms of how individual failures affect the whole, you’ll have gone a long way to understanding how security works.
Security usually fails at the seams - at the points where two systems interact - seams between security systems and other systems, seams between parts of a security system.
Security systems can fail in two completely difference ways. The first way is that they can fail in the face of an attack. The door lock fails to keep the burglar out, the airport face-scanner fails to identify the terrorist, or the car alarm is bypassed by a thief. These are passive failures. The system fails to take action when it should. A security system can also fail by doing what it’s suppose to do, but at the wrong time. The door lock successfully keeps the legitimate homeowner out, the airport face-scanner incorrectly identifies an honest citizen as a terrorist, or the car alarm rings when no one is trying to steal the car. These are active failures: The system fails by taking action when it shouldn’t.
The most common security mistake of all is to expend considerable effort combating outsiders while ignoring the insider threat.
A terrorist is someone who employs physical or psychological violence against noncombatants in an attempt to coerce, control, or simply change a political situation by causing terror in the general populace.
The U.S. government has tried to address it [the 9/11 Attacks] by demanding (and largely receiving) new powers of surveillance and data collection. This completely misses the point. The problem isn’t obtaining data, it’s deciding which data is worth analyzing and then interpreting it. So much data is collected - organizations like the NSA suck up an almost unimaginable quantity of electronic communications, the FBI gets innumerable leads and tips, and U.S. allies pass along all sorts of information - that intelligence organization can’t possibly analyze it all.
Basically, there are three ways to authenticate someone: by something he knows, by something he has, and by something he is. All these ways have been used from prehistory until the present day, and they all have different security properties and trade-offs.
When the city of London began putting up house numbers and street signs in the 1760s, people rioted because they didn’t want strangers to be able to navigate through their neighborhoods.
A security protocol is a series of steps that some trusted person carries out, steps designed to enforce some sort of security rules.
Like protocols, procedures are steps that a trusted person carries out. But in security lingo, procedures are exceptions; they’re the things that people do when a security event occurs.
Protocols are the routines trusted people follow day to day; procedure are what they do in response to an anomaly.
Sensible security does not result from fear. Just because anomalies happen doesn’t mean security has failed. The risk of a terrorist attack before 9/11 wasn’t appreciable smaller than the risk of a terrorist attack after 9/11. Before 9/11, European countries mostly had an accurate assessment of their risks. In the U.S., the risks were largely underestimated; many people thought it couldn’t happen there.
To summarize: Prevention is impossible. Mitigation is important. Intelligence and counterattack are critical. And none of this is as effective as addressing the root causes of terrorism.
Spending more money on intelligence and investigation is far more cost-effective, because it targets the attackers, rather than waiting for the attackers to come to the defensive systems.
When you examine the details, only two effective antiterrorism countermeasures were taken in the wake of 9/11: strengthening cockpit doors and passengers learning they need to fight back. Everything else - let me repeat that: everything else - was only minimally effective, at best, and not worth the trade-offs.
The color-coded threat alerts issued by the Department of Homeland Security are useless today, but may become useful in the future. The U.S. military has a similar system; DEFCON 1-5 corresponds to the five threat alerts levels: Green, Blue, Yellow, Orange, and Red. The difference is that the DEFCON system is tied to particular procedures; military units have specific actions they need to perform every time the DEFCON level goes up or down. The color-alert system, on the other hand, is not tied to any specific actions. People are left to worry, or are given nonsensical instructions to buy plastic sheeting and duct tape.
There’s no way to prevent all future terrorist attacks.
Ironically, the the two years since 9/11, we’ve got the security level mostly right but the costs wildly wrong. The security we’re getting against terrorism is largely ineffective, although it’s probably commensurate with the minimal level of risk that actually exists.
Pundit after pundit has talked about the balance between privacy and security, discussing whether various increases of security are worth the privacy and civil liberty losses. The discussion seems odd to me, because linking the two is just plain wrong.
Security and privacy, or security and liberty, are not two sides of a teeter-totter.
Arming pilots, reinforcing cockpit doors, and teaching flight attendants karate are all examples of security measures that have no effect on individual privacy or liberties.
Unfortunately, the Department of Homeland Security is far more likely to increase the country’s vulnerability to terrorism. Centralizing security responsibility will create a commonality of approach and a uniformity of thinking; security will become more brittle. Unless the new department distributes security responsibility even as it centralizes coordination, it won’t improve the nation’s security.
The dual requirements that security decisions need to be made as close to the problem as possible, and that security analysis needs to happen as far away from the sources as possible make the problem subtle. Security works better if it is centrally coordinated but implemented in a distributed manner.
If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.
