Deflect Silver Bullets

That's quite an image, isn't it? It's ISS CEO Tom Noonan holding a silver bullet, announcing the Proventia IPS product in the October 2003 issue of ISS' Connect magazine. Raise your hand if you think IPS or anything else ISS has produced is a silver bullet. No takers?

I don't mention this to criticize ISS, specifically. Rather, I'd like to emphasize the importance of proper frames of reference when considering security.

Maybe this story will help explain my point. In the early 1990s as a cadet at camp USAFA I took at least 14 technical classes, including math, science, and engineering subjects. These core classes are the reason every cadet graduates with a BS and not a BA, regardless of the field of study. Remember, I was a history and political science double major, preparing for a career in Air Force intelligence. One of my fellow history majors asked our astronautical engineering professor why we had to sit through his class. I still remember his answer:

One day you'll meet with a defense contractor trying to sell you a new satellite system. He'll promise the world, saying things like "We can park that satellite right over Moscow in geosynchronous orbit to provide you imagery."

When you hear that I want you to ask "How is that possible? What is going to keep the satellite there?"

I want you to know how to think properly about that problem, even though you may have forgotten all the details by then.


(For those of you who forget your astronautical engineering, it's not possible to park a satellite in geosynchronous orbit anywhere except the equator, unless you're taking extreme measures to actively keep the device in place beyond what's required for normal station-keeping.)

I find that many of those performing digital security work, most generic IT managers, and nearly all nontechnical managers do not know how to think about security properly. They think it's possible to park a satellite over Moscow, Russia as easily as Quito, Ecuador. They have no conceptual framework for digital security. They are looking for digital security silver bullets even though no analog silver bullet has ever killed the pirates, petty bandits, organized criminals, foreign intelligence services, or any of the other threats who have plagued humanity for hundreds of years.

Sloppy thinking is our greatest vulnerability. Forget about user education; I recommend management education. Deflect silver bullets.

Comments

kurt wismer said…
deflect silver bullets - that's good catch-phrase material...
Roland Dobbins said…
Why did you change your syndication feed URLs without telling anyone, so that we missed several of your posts, and why didn't you use a transition mechanism which would automatically migrate our subscriptions (the fact that one can do this highlights the near-complete lack of attention to security in syndication feed technology, of course).
Roland,

As always, I have not changed anything. Blame Google/Blogger/Blogspot for any problems, if they exist on the syndication side.

I personally subscribe to this blog via

http://taosecurity.blogspot.com/atom.xml

and

http://taosecurity.blogspot.com/rss.xml

through Bloglines and I have not seen any problems.
Richard (and Roland)

I'm reading your blog normally via Google Reader. By the way, great post as usual.
Unknown said…
"Forget about user education; I recommend management education. Deflect silver bullets."

Ok, if I didn't think Blogger would edit my post, I'd follow your last sentences right there with some resoundingly emphatic expletives in agreement.
Andy, ITGuy said…
Although I don't think I'd say forget about user education I agree that if we can't get management and IT properly educated then it's a losing battle. I've blogged about this very thing many times in the past. As IT, Security and Management we have to lead by example in this area.
Anonymous said…
Geosynchronous does not imply geostationary.

A geosynchronous orbit over Moscow is not impossible. The satellite would have to compensate for the movement introduced by the inclination. A geostationary orbit above Moscow _is_ impossible.
Anonymous,

"unless you're taking extreme measures to actively keep the device in place beyond what's required for normal station-keeping."
Anonymous said…
This comment has been removed by a blog administrator.

Popular posts from this blog

Zeek in Action Videos

MITRE ATT&CK Tactics Are Not Tactics

New Book! The Best of TaoSecurity Blog, Volume 4