Deflect Silver Bullets
That's quite an image, isn't it? It's ISS CEO Tom Noonan holding a silver bullet, announcing the Proventia IPS product in the October 2003 issue of ISS' Connect magazine. Raise your hand if you think IPS or anything else ISS has produced is a silver bullet. No takers?
I don't mention this to criticize ISS, specifically. Rather, I'd like to emphasize the importance of proper frames of reference when considering security.
Maybe this story will help explain my point. In the early 1990s as a cadet at camp USAFA I took at least 14 technical classes, including math, science, and engineering subjects. These core classes are the reason every cadet graduates with a BS and not a BA, regardless of the field of study. Remember, I was a history and political science double major, preparing for a career in Air Force intelligence. One of my fellow history majors asked our astronautical engineering professor why we had to sit through his class. I still remember his answer:
One day you'll meet with a defense contractor trying to sell you a new satellite system. He'll promise the world, saying things like "We can park that satellite right over Moscow in geosynchronous orbit to provide you imagery."
When you hear that I want you to ask "How is that possible? What is going to keep the satellite there?"
I want you to know how to think properly about that problem, even though you may have forgotten all the details by then.
(For those of you who forget your astronautical engineering, it's not possible to park a satellite in geosynchronous orbit anywhere except the equator, unless you're taking extreme measures to actively keep the device in place beyond what's required for normal station-keeping.)
I find that many of those performing digital security work, most generic IT managers, and nearly all nontechnical managers do not know how to think about security properly. They think it's possible to park a satellite over Moscow, Russia as easily as Quito, Ecuador. They have no conceptual framework for digital security. They are looking for digital security silver bullets even though no analog silver bullet has ever killed the pirates, petty bandits, organized criminals, foreign intelligence services, or any of the other threats who have plagued humanity for hundreds of years.
Sloppy thinking is our greatest vulnerability. Forget about user education; I recommend management education. Deflect silver bullets.
I don't mention this to criticize ISS, specifically. Rather, I'd like to emphasize the importance of proper frames of reference when considering security.
Maybe this story will help explain my point. In the early 1990s as a cadet at camp USAFA I took at least 14 technical classes, including math, science, and engineering subjects. These core classes are the reason every cadet graduates with a BS and not a BA, regardless of the field of study. Remember, I was a history and political science double major, preparing for a career in Air Force intelligence. One of my fellow history majors asked our astronautical engineering professor why we had to sit through his class. I still remember his answer:
One day you'll meet with a defense contractor trying to sell you a new satellite system. He'll promise the world, saying things like "We can park that satellite right over Moscow in geosynchronous orbit to provide you imagery."
When you hear that I want you to ask "How is that possible? What is going to keep the satellite there?"
I want you to know how to think properly about that problem, even though you may have forgotten all the details by then.
(For those of you who forget your astronautical engineering, it's not possible to park a satellite in geosynchronous orbit anywhere except the equator, unless you're taking extreme measures to actively keep the device in place beyond what's required for normal station-keeping.)
I find that many of those performing digital security work, most generic IT managers, and nearly all nontechnical managers do not know how to think about security properly. They think it's possible to park a satellite over Moscow, Russia as easily as Quito, Ecuador. They have no conceptual framework for digital security. They are looking for digital security silver bullets even though no analog silver bullet has ever killed the pirates, petty bandits, organized criminals, foreign intelligence services, or any of the other threats who have plagued humanity for hundreds of years.
Sloppy thinking is our greatest vulnerability. Forget about user education; I recommend management education. Deflect silver bullets.
Comments
As always, I have not changed anything. Blame Google/Blogger/Blogspot for any problems, if they exist on the syndication side.
I personally subscribe to this blog via
http://taosecurity.blogspot.com/atom.xml
and
http://taosecurity.blogspot.com/rss.xml
through Bloglines and I have not seen any problems.
I'm reading your blog normally via Google Reader. By the way, great post as usual.
Ok, if I didn't think Blogger would edit my post, I'd follow your last sentences right there with some resoundingly emphatic expletives in agreement.
A geosynchronous orbit over Moscow is not impossible. The satellite would have to compensate for the movement introduced by the inclination. A geostationary orbit above Moscow _is_ impossible.
"unless you're taking extreme measures to actively keep the device in place beyond what's required for normal station-keeping."