Trust: Security, the enemy of Security

In the previous posts about Trust I outlined how things that are designed to help you with your security can sometimes hinder that very security that you are trying to achieve. Today I will take that even further and outline how the whole concept of security can, in some cases, make you even less secure.

The problem I am talking about is caused by being overly confident in the system provided thus leading to a false sense of security. Much like how the captain of the Titanic felt the puny iceberg was no match for his state of the art ship, so some people feel about being compromised after they implement the latest in security measures.

Lately we had some examples of this due to the high profile assassination in Dubai. As the news has been reporting over and over again the assassins entered the country using forged passports. The passports in question were biometric passports.  Biometric passports are hailed as the ultimate in security. Confidence is so high in their security that the Netherlands has even been trialing an automated passport scanning system, which a pair of ethical hackers managed to fool by getting a fake biometric passport in the name of Elvis Presley registered in a fake country approved.  I am not aware of any country that has gone fully automated; however, even just testing out such automated systems is, in my opinion, a sign of the danger that security can be to itself.  Simply considering automating such a critical security system means that there are some people who have huge faith in how infallible the system is and this in itself is a threat to security.  One should never have such a strong belief that a security system is infallible because, no matter how good it is, it still can, and will, be broken.

The issue isn’t limited exclusively to passports. This type of over confidence is present in more mundane situations. Time and time again I have been asked by a friend to help clean their machine from malware and when I ask them whether they had clicked on dubious attachments in emails they usually would have with the conviction that it was okay. Even if it were to be malicious they believed their antivirus software would protect them from any possible infection.

Companies are not immune to this way of thinking either. Deploying antivirus and patch management mechanisms are at times considered to be enough.  Additional tools such as vulnerability scanning, log management and perimeter security might be considered an unnecessary expense because they are regarded as a second layer of security, where the risk is already being mitigated though virus scanning and patch management. This is true to a point; however, you can never have blind faith that any antivirus software will detect every form of malware and you can never be totally sure that every vulnerability will be patched, and on time.

Going back to the title, Security is the enemy of Security, what does that mean exactly? I am obviously not suggesting that removing security measures will make everyone more secure. What I am trying to say is that no matter how much security one puts into place he should still work under the assumption that they will all fail. Don’t allow security to make you lazy. Anything suspicious, be it a link or an attachment, will still require the same diligence as if one had no antivirus / link scanner in place because if it’s malicious your security system might still fail to detect it.

Always remember that security is not the first line of defense, the user is. Security mechanisms are in place to protect the system when the user fails; they are not a magical filter that knows all good from bad.  There is also a third line of defense which protects the system in the event of the security mechanism itself failing, and that is the Administrator who monitors the system for intrusions and suspicious behavior. If a security system fails, the best you can hope for at that point is that the administrator detects the intrusion in a timely manner and takes corrective action before the damage spreads. These three tiers need to work in tandem. Security will be the enemy of itself if the user relaxes and takes risks under the assumption and ‘peace of mind’ that the security system will take care of any slipups caused by his actions. Security will also be its own enemy when the administrator feels s/he can neglect monitoring duties, confident that the policies in place which users follow and the security infrastructure will prevent any intrusions and malware from ever infiltrating the network.