Tuesday, August 3, 2010

PHYSICAL SECURITY MAXIMS

Here are some of the Physical Security Maxims of Security Guru Roger G. Johnston, Ph.D., CPP of the Vulnerability Assessment Team, Argonne National Laboratory.


Infinity Maxim: There are an unlimited number of security vulnerabilities for a given security device, system, or program, most of which will never be discovered (by the good guys or bad guys).

Comment: We think this, because we always find new vulnerabilities when we look at the same security device, system, or program a second or third time, and because we always find vulnerabilities that others miss, and vice versa.


Thanks for Nothin’ Maxim: A vulnerability assessment that finds no vulnerabilities or only a few is worthless and wrong.


Arrogance Maxim: The ease of defeating a security device or system is proportional to how confident/arrogant the designer, manufacturer, or user is about it, and to how often they use words like “impossible” or “tamper-proof”.


Be Afraid, Be Very Afraid Maxim: If you’re not running scared, you have bad security or a bad security product.

Comment: Fear is a good vaccine against both arrogance and ignorance.


So We’re In Agreement Maxim: If you’re happy with your security, so are the bad guys.


Ignorance is Bliss Maxim: The confidence that people have in security is inversely proportional to how much they know about it.


Comment: Security looks easy if you’ve never taken the time to think carefully about it.


Weakest Link Maxim: The efficacy of security is determined more by what is done wrong than by what is done right.

Comment: Because the bad guys typically attack deliberately and intelligently, not randomly.


Safety Maxim: Applying the methods of safety to security doesn’t work well, but the reverse may have some merit.

Comment: Safety is typically analyzed as a stochastic problem, whereas the bad guys typically attack deliberately and intelligently, not randomly. For a discussion of the reverse problem, see RG Johnston, Journal of Safety Research 35, 245-248 (2004).


High-Tech Maxim: The amount of careful thinking that has gone into a given security device, system, or program is inversely proportional to the amount of high-technology it uses.

Comment: In security, high-technology is often taken as a license to stop thinking critically.


Dr. Who Maxim: “The more sophisticated the technology, the more vulnerable it is to primitive attack. People often overlook the obvious.”

Comment: A quote from Tom Baker as Dr. Who in The Pirate Planet (1978)


Low-Tech Maxim: Low-tech attacks work (even against high-tech devices and systems).

Comment: So don’t get too worked up about high-tech attacks.


Nowadays I work as a security consultant; I have collected eleven pages worth of Dr. Johnston's wisdom - I keep them posted on the wall by my desk at work. In designing physical security systems, and even in the evolving field of cybersecurity, I find that all of these truisms apply sooner or later. - Sean Linnane





.

2 comments: