Friday, January 7, 2011

Most Security Measures Easy to Breach

Vulnerability Assessment Team at Argonne National Laboratory break into "foolproof" systems (NBCChicago.com)
"Yes, we almost never need a high-tech attack against a high-tech system. We actually defeated a biometric access control device with parts from a BIC pen."

That's because the "bad guys", as he likes to call them, aren't necessarily going to even try to outsmart gee-whiz gizmos. After all, why go after a retinal scanner when you can simply use a credit card to open the virtually unsecured door?

I'm curious about the BIC pen hack. It was mentioned at the Argonne National Laboratories site back in November. It seems like they're keeping mum for now. Given that they're a government agency and the linked story states the device in question was intended to protect nuclear material, that's probably a good thing.

Dr. Roger Johnson makes excellent points about the nature of security in both linked sources.

His main thesis seems to be: While there is no such thing as perfect security, most people aren't really even trying that hard.

It's hard to argue with that, and Dr. Johnson seems to appreciate the difference between rational security measures and "security theater".

There is a cost-benefit analysis that goes into security purchasing decisions. The closest thing to perfect security is what the Secret Service does for the President. That type of security is afforded to only a handful of people and few of us would choose that type of security for ourselves even if we could afford it.

The more efficient security solution for the vast majority of us is investment in reasonably efficient law enforcement, reasonably effective alarm systems, and the creation of a reasonable amount of uncertainty in the mind of the bad guy.

Security systems don't have to be perfect to be rational. This is why we spend so much time here discussing Return On Investment (ROI). If a given solution improves security and implies lower costs, it should be adopted.

Security theater is different. Giving the illusion of security in an insecure environment is worse than not having any security at all.