SlideShare uma empresa Scribd logo
1 de 19
Baixar para ler offline
Roger G. Johnston, Ph.D., CPP Vulnerability Assessment Team Argonne National Laboratory [email_address]   630-252-6168 http://www.ne.anl.gov/capabilities/vat Physical Security Maxims VAT
The following maxims, based on our experience with physical security, nuclear safeguards, & vulnerability assessments, are  not absolute laws or theorems, but they will be essentially  correct 80-90% of the time. Security Maxims
Infinity Maxim :  There are an unlimited number of security  vulnerabilities for a given security device, system, or program,  most of which will never be discovered (by the good guys or  bad guys). Arrogance Maxim :  The ease of defeating a security device  or system is proportional to how confident/arrogant the designer,  manufacturer, or user is about it, and to how often they use  words like “impossible” or “tamper-proof”.  Ignorance is Bliss Maxim :  The confidence that people have in  security is inversely proportional to how much they know about it. Security Maxims
Be Afraid, Be Very Afraid Maxim :  If you’re not running  scared, you have bad security or a bad security product. High-Tech Maxim :  The amount of careful thinking that has  gone into a given security device, system, or program is  inversely proportional to the amount of high-technology it uses. Schneier’s Maxim #1 :  The more excited people are about a given  security technology, the less they understand (1) that technology  and (2) their own security problems. Low-Tech Maxim :  Low-tech attacks work (even against  high-tech devices and systems). Security Maxims
Father Knows Best Maxim :  The amount that (non-security) senior managers in any organization know about security is  inversely proportional to (1) how easy they think security is,  and (2) how much they will micro-manage security and invent arbitrary rules. Huh Maxim :  When a (non-security) senior manager,  bureaucrat, or government official talks publicly about security,  he or she will usually say something stupid, unrealistic, inaccurate, and/or naïve. Voltaire’s Maxim :  The problem with common sense is that it is not all that common. Security Maxims
Yipee Maxim :  There are effective, simple, & low-cost counter- measures (at least partial countermeasures) to most vulnerabilities. Arg Maxim :  But users, manufacturers, managers, & bureaucrats will be reluctant to implement them for reasons of inertia, pride, bureaucracy, fear, wishful thinking, and/or cognitive dissonance. Show Me Maxim :  No serious security vulnerability, including  blatantly obvious ones, will be dealt with until there is overwhelming  evidence and widespread recognition that adversaries have already  catastrophically exploited it.  In other words, “significant  psychological (or literal) damage is required before any significant  security changes will be made”. Security Maxims
I Just Work Here Maxim :  No salesperson, engineer, or  executive of a company that sells security products or services  is prepared to answer a significant question about vulner- abilities, and few potential customers will ever ask them one. Bob Knows a Guy Maxim :  Most security products and services  will be chosen by the end-user based on purchase price plus  hype, rumor, innuendo, hearsay, and gossip.  Familiarity Maxim :  Any security technology becomes more  vulnerable to attacks when it becomes more widely used, and  when it has been used for a longer period of time. Security Maxims
Antique Maxim :  A security device, system, or program  is most vulnerable near the end of its life. Payoff Maxim :  The more money that can be made from  defeating a technology, the more attacks, attackers, and hackers  will appear. I Hate You Maxim 1 :  The more a given technology is despised  or distrusted, the more attacks, attackers, and hackers will appear. I Hate You Maxim 2 :  The more a given technology causes  hassles or annoys security personnel, the less effective it will be. Security Maxims
Shannon’s (Kerckhoffs’) Maxim :  The adversaries know and  understand the security hardware and strategies being employed.  Corollary to Shannon’s Maxim :  Thus, “Security by Obscurity”,  i.e., security based on keeping long-term secrets, is not a good idea. Gossip Maxim :  People and organizations can’t keep secrets. Plug into the Formula Maxim :  Engineers don’t understand  security.  They think nature is the adversary, not people.  They  tend to work in solution space, not problem space.  They think  systems fail stochastically, not through deliberate, intelligent, malicious intent. Security Maxims
Rohrbach’s Maxim :  No security device, system, or program  will ever be used properly (the way it was designed) all the time. Rohrbach Was An Optimist Maxim :  Few security devices,  systems, or programs will  ever  be used properly. Insider Risk Maxim :  Most organizations will ignored or  seriously underestimate the threat from insiders. We Have Met the Enemy and He is Us Maxim :  The insider  threat from careless or complacent employees & contractors  exceeds the threat from malicious insiders (though the latter is not negligible.) Security Maxims
Troublemaker Maxim :  The probability that a security  professional has been marginalized by his or her organization is proportional to his/her skill, creativity, knowledge, competence,  and eagerness to provide effective security. Feynman’s Maxim :  An organization will fear and despise loyal  vulnerability assessors and others who point out vulnerabilities or suggest security changes more than malicious adversaries. Irresponsibility Maxim :  It’ll often be considered “irresponsible” to point out security vulnerabilities (including the theoretical  possibility that they might exist), but you’ll rarely be called irresponsible for ignoring or covering them up. Security Maxims
Backwards Maxim :  Most people will assume everything is  secure until provided strong evidence to the contrary--exactly backwards from a reasonable approach.  You Could’ve Knocked Me Over with a Feather Maxim 1 : Security managers, manufacturers, vendors, and end users will  always be amazed at how easily their security products or  programs can be defeated. You Could’ve Knocked Me Over with a Feather Maxim 2 : Having been amazed once, security managers, manufacturers,  vendors, and end users will be equally amazed the next time  around. Security Maxims
That’s Why They Pay Us the Big Bucks Maxim :  Security is  nigh near impossible.  It’s extremely difficult to stop a determined  adversary.  Often the best you can do is discourage him, and maybe minimize the consequences when he does attack. Throw the Bums Out Maxim :  An organization that fires high-  level security managers when there is a major security incident, or severely disciplines or fires low-level security personnel when there is a minor incident, will never have good security. Better to be Lucky than Good Maxim:   Most of the time  when security appears to be working, it’s because no adversary is  currently prepared to attack. Security Maxims
A Priest, a Minister, and a Rabbi Maxim :  People lacking  imagination, skepticism, and a sense of humor should not  work in the security field. Mr. Spock Maxim :  The effectiveness of a security device, system, or program is inversely proportional to how angry or upset people get about the idea that there might be vulnerabilities. Double Edge Sword Maxim :  Within a few months of its  availability, new technology helps the bad guys at least as  much as it helps the good guys. Security Maxims
Mission Creep Maxim :  Any given device, system, or program  that is designed for inventory will very quickly come to be  viewed--quite incorrectly--as a security device, system, or program.  We’ll Worry About it Later Maxim :  Effective security is  difficult enough when you design it in from first principles.  It  almost never works to retrofit it in, or to slap security on at the last  minute, especially onto inventory technology. Somebody Must’ve Thought It Through Maxim :  The more  important the security application, the less careful and critical  thought has gone into it. Security Maxims
Security Maxims That’s Entertainment Maxim:   Ceremonial Security (a.k.a.  “ Security Theater”) will usually be confused with Real Security; even when it is not, it will be favored over Real Security. Schneier’s Maxim #2 : Control will usually get confused with Security. Ass Sets Maxim :  Most security programs focus on protecting the wrong assets.
Security Maxims Vulnerabilities Trump Threats Maxim :  If you know the  vulnerabilities (weaknesses), you’ve got a shot at understanding  the threats (the probability that the weaknesses will be exploited  and by whom).  Plus you might even be ok if you get the threats all wrong.  But if you focus mostly on the threats, you’re probably  in trouble.
Security Maxims Mermaid Maxim:   The most common excuse for not fixing security vulnerabilities is that they simply can't exist. Onion Maxim:   The second most common excuse for not fixing security vulnerabilities is that "we have many layers of security", i.e., we rely on "Security in Depth". Hopeless Maxim:   The third most common excuse for not fixing security vulnerabilities is that "all security devices, systems, and programs can be defeated".  (This is typically expressed by the same person who initially invoked the Mermaid Maxim.) 
Security Maxims Takes One to Know One Maxim:   The fourth most common excuse for not fixing security vulnerabilities is that “our adversaries are too stupid and/or unresourceful to figure that out.” Depth, What Depth? Maxim :   For any given security program, the amount of critical, skeptical, and intelligence thinking that has been undertaken is inversely proportional to how strongly the strategy of "Security in Depth" (layered security) is embraced.

Mais conteúdo relacionado

Mais procurados

Security Awareness, lost between chains and walls
Security Awareness, lost between chains and wallsSecurity Awareness, lost between chains and walls
Security Awareness, lost between chains and wallsOsama Salah
 
Tanium Taps Incident Response Expert as Chief Security Architect
Tanium Taps Incident Response Expert as Chief Security ArchitectTanium Taps Incident Response Expert as Chief Security Architect
Tanium Taps Incident Response Expert as Chief Security ArchitectEric Brown
 
Tech Talent Meetup Hacking Security Event Recap
Tech Talent Meetup Hacking Security Event RecapTech Talent Meetup Hacking Security Event Recap
Tech Talent Meetup Hacking Security Event RecapDominic Vogel
 
Gainful Information Security 2012 services
Gainful Information Security 2012 servicesGainful Information Security 2012 services
Gainful Information Security 2012 servicesCade Zvavanjanja
 
Best practices for_implementing_security_awareness_training
Best practices for_implementing_security_awareness_trainingBest practices for_implementing_security_awareness_training
Best practices for_implementing_security_awareness_trainingwardell henley
 
Mimecast Threat Report
Mimecast Threat ReportMimecast Threat Report
Mimecast Threat ReportChris Hewitt
 
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...EC-Council
 
Adam Palmer: Managing Advanced Cyber Threats for In-House Counsel
Adam Palmer: Managing Advanced Cyber Threats for In-House CounselAdam Palmer: Managing Advanced Cyber Threats for In-House Counsel
Adam Palmer: Managing Advanced Cyber Threats for In-House CounselAdam Palmer
 
Security as the foundation of DX
Security as the foundation of DXSecurity as the foundation of DX
Security as the foundation of DXmasaaki murakami
 
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesHow To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesSlideTeam
 
Aon Ransomware Response and Mitigation Strategies
Aon Ransomware Response and Mitigation StrategiesAon Ransomware Response and Mitigation Strategies
Aon Ransomware Response and Mitigation StrategiesCSNP
 
A Guide To SMB Network Security Compliance Research Group(1)
A Guide To SMB Network Security Compliance Research Group(1)A Guide To SMB Network Security Compliance Research Group(1)
A Guide To SMB Network Security Compliance Research Group(1)GuardEra Access Solutions, Inc.
 
Issa Charlotte 2009 Patching Your Users
Issa Charlotte 2009   Patching Your UsersIssa Charlotte 2009   Patching Your Users
Issa Charlotte 2009 Patching Your UsersMike Murray
 

Mais procurados (18)

Security Awareness, lost between chains and walls
Security Awareness, lost between chains and wallsSecurity Awareness, lost between chains and walls
Security Awareness, lost between chains and walls
 
Tanium Taps Incident Response Expert as Chief Security Architect
Tanium Taps Incident Response Expert as Chief Security ArchitectTanium Taps Incident Response Expert as Chief Security Architect
Tanium Taps Incident Response Expert as Chief Security Architect
 
Tech Talent Meetup Hacking Security Event Recap
Tech Talent Meetup Hacking Security Event RecapTech Talent Meetup Hacking Security Event Recap
Tech Talent Meetup Hacking Security Event Recap
 
Gainful Information Security 2012 services
Gainful Information Security 2012 servicesGainful Information Security 2012 services
Gainful Information Security 2012 services
 
Best practices for_implementing_security_awareness_training
Best practices for_implementing_security_awareness_trainingBest practices for_implementing_security_awareness_training
Best practices for_implementing_security_awareness_training
 
Mimecast Threat Report
Mimecast Threat ReportMimecast Threat Report
Mimecast Threat Report
 
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...
 
16231
1623116231
16231
 
Adam Palmer: Managing Advanced Cyber Threats for In-House Counsel
Adam Palmer: Managing Advanced Cyber Threats for In-House CounselAdam Palmer: Managing Advanced Cyber Threats for In-House Counsel
Adam Palmer: Managing Advanced Cyber Threats for In-House Counsel
 
Avoiding The Seven Deadly Sins of IT
Avoiding The Seven Deadly Sins of ITAvoiding The Seven Deadly Sins of IT
Avoiding The Seven Deadly Sins of IT
 
Security as the foundation of DX
Security as the foundation of DXSecurity as the foundation of DX
Security as the foundation of DX
 
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesHow To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
 
Aon Ransomware Response and Mitigation Strategies
Aon Ransomware Response and Mitigation StrategiesAon Ransomware Response and Mitigation Strategies
Aon Ransomware Response and Mitigation Strategies
 
Rm
RmRm
Rm
 
A Guide To SMB Network Security Compliance Research Group(1)
A Guide To SMB Network Security Compliance Research Group(1)A Guide To SMB Network Security Compliance Research Group(1)
A Guide To SMB Network Security Compliance Research Group(1)
 
Issa Charlotte 2009 Patching Your Users
Issa Charlotte 2009   Patching Your UsersIssa Charlotte 2009   Patching Your Users
Issa Charlotte 2009 Patching Your Users
 
Cybersecurity After WannaCry: How to Resist Future Attacks
Cybersecurity After WannaCry: How to Resist Future AttacksCybersecurity After WannaCry: How to Resist Future Attacks
Cybersecurity After WannaCry: How to Resist Future Attacks
 
Prevent & Protect
Prevent & ProtectPrevent & Protect
Prevent & Protect
 

Semelhante a securitymaxims

Five Reasons to Look Beyond Math-based Next-Gen Antivirus
Five Reasons to Look Beyond Math-based Next-Gen AntivirusFive Reasons to Look Beyond Math-based Next-Gen Antivirus
Five Reasons to Look Beyond Math-based Next-Gen AntivirusSarah Vanier
 
brochure 2016-September (1)
brochure 2016-September (1)brochure 2016-September (1)
brochure 2016-September (1)Dan Kunkel
 
Cybersecurity a short business guide
Cybersecurity   a short business guideCybersecurity   a short business guide
Cybersecurity a short business guidelarry1401
 
Security Transformation
Security TransformationSecurity Transformation
Security TransformationFaisal Yahya
 
Enterprise Immune System
Enterprise Immune SystemEnterprise Immune System
Enterprise Immune SystemAustin Eppstein
 
CROs must be part of the cybersecurity solution by david x martin
CROs must be part of the cybersecurity solution by david x martinCROs must be part of the cybersecurity solution by david x martin
CROs must be part of the cybersecurity solution by david x martinDavid X Martin
 
Prevent Getting Hacked by Using a Network Vulnerability Scanner
Prevent Getting Hacked by Using a Network Vulnerability ScannerPrevent Getting Hacked by Using a Network Vulnerability Scanner
Prevent Getting Hacked by Using a Network Vulnerability ScannerGFI Software
 
Anti virus in the corporate arena
Anti virus in the corporate arenaAnti virus in the corporate arena
Anti virus in the corporate arenaUltraUploader
 
Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014
Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014
Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014John Bambenek
 
Peter Allor - The New Era of Cognitive Security
Peter Allor - The New Era of Cognitive SecurityPeter Allor - The New Era of Cognitive Security
Peter Allor - The New Era of Cognitive Securityscoopnewsgroup
 
Assess risks to IT security.pptx
Assess risks to IT security.pptxAssess risks to IT security.pptx
Assess risks to IT security.pptxlochanrajdahal
 
Inconvenient Truth(s) - On Application Security (from 2007)
Inconvenient Truth(s) - On Application Security (from 2007)Inconvenient Truth(s) - On Application Security (from 2007)
Inconvenient Truth(s) - On Application Security (from 2007)Dinis Cruz
 
Understanding the security_organization
Understanding the security_organizationUnderstanding the security_organization
Understanding the security_organizationDan Morrill
 
Cognitive Computing in Security with AI
Cognitive Computing in Security with AI Cognitive Computing in Security with AI
Cognitive Computing in Security with AI JoAnna Cheshire
 
Ransomware Detection and Remediation Whitepaper.pdf
Ransomware Detection and Remediation Whitepaper.pdfRansomware Detection and Remediation Whitepaper.pdf
Ransomware Detection and Remediation Whitepaper.pdfCompanySeceon
 
Ibm cognitive security_white_paper_04_2016
Ibm cognitive security_white_paper_04_2016Ibm cognitive security_white_paper_04_2016
Ibm cognitive security_white_paper_04_2016Janghyuck Choi
 
Behavioral Models of Information Security: Industry irrationality & what to d...
Behavioral Models of Information Security: Industry irrationality & what to d...Behavioral Models of Information Security: Industry irrationality & what to d...
Behavioral Models of Information Security: Industry irrationality & what to d...Kelly Shortridge
 
McAfee Labs 2017 Threats Predictions
McAfee Labs 2017 Threats PredictionsMcAfee Labs 2017 Threats Predictions
McAfee Labs 2017 Threats PredictionsMatthew Rosenquist
 
Introduction to Cyber Security
Introduction to Cyber SecurityIntroduction to Cyber Security
Introduction to Cyber SecurityPriyanshu Ratnakar
 
Cybersecurity of Physical Systems
Cybersecurity of Physical Systems Cybersecurity of Physical Systems
Cybersecurity of Physical Systems Erin Hillier
 

Semelhante a securitymaxims (20)

Five Reasons to Look Beyond Math-based Next-Gen Antivirus
Five Reasons to Look Beyond Math-based Next-Gen AntivirusFive Reasons to Look Beyond Math-based Next-Gen Antivirus
Five Reasons to Look Beyond Math-based Next-Gen Antivirus
 
brochure 2016-September (1)
brochure 2016-September (1)brochure 2016-September (1)
brochure 2016-September (1)
 
Cybersecurity a short business guide
Cybersecurity   a short business guideCybersecurity   a short business guide
Cybersecurity a short business guide
 
Security Transformation
Security TransformationSecurity Transformation
Security Transformation
 
Enterprise Immune System
Enterprise Immune SystemEnterprise Immune System
Enterprise Immune System
 
CROs must be part of the cybersecurity solution by david x martin
CROs must be part of the cybersecurity solution by david x martinCROs must be part of the cybersecurity solution by david x martin
CROs must be part of the cybersecurity solution by david x martin
 
Prevent Getting Hacked by Using a Network Vulnerability Scanner
Prevent Getting Hacked by Using a Network Vulnerability ScannerPrevent Getting Hacked by Using a Network Vulnerability Scanner
Prevent Getting Hacked by Using a Network Vulnerability Scanner
 
Anti virus in the corporate arena
Anti virus in the corporate arenaAnti virus in the corporate arena
Anti virus in the corporate arena
 
Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014
Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014
Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014
 
Peter Allor - The New Era of Cognitive Security
Peter Allor - The New Era of Cognitive SecurityPeter Allor - The New Era of Cognitive Security
Peter Allor - The New Era of Cognitive Security
 
Assess risks to IT security.pptx
Assess risks to IT security.pptxAssess risks to IT security.pptx
Assess risks to IT security.pptx
 
Inconvenient Truth(s) - On Application Security (from 2007)
Inconvenient Truth(s) - On Application Security (from 2007)Inconvenient Truth(s) - On Application Security (from 2007)
Inconvenient Truth(s) - On Application Security (from 2007)
 
Understanding the security_organization
Understanding the security_organizationUnderstanding the security_organization
Understanding the security_organization
 
Cognitive Computing in Security with AI
Cognitive Computing in Security with AI Cognitive Computing in Security with AI
Cognitive Computing in Security with AI
 
Ransomware Detection and Remediation Whitepaper.pdf
Ransomware Detection and Remediation Whitepaper.pdfRansomware Detection and Remediation Whitepaper.pdf
Ransomware Detection and Remediation Whitepaper.pdf
 
Ibm cognitive security_white_paper_04_2016
Ibm cognitive security_white_paper_04_2016Ibm cognitive security_white_paper_04_2016
Ibm cognitive security_white_paper_04_2016
 
Behavioral Models of Information Security: Industry irrationality & what to d...
Behavioral Models of Information Security: Industry irrationality & what to d...Behavioral Models of Information Security: Industry irrationality & what to d...
Behavioral Models of Information Security: Industry irrationality & what to d...
 
McAfee Labs 2017 Threats Predictions
McAfee Labs 2017 Threats PredictionsMcAfee Labs 2017 Threats Predictions
McAfee Labs 2017 Threats Predictions
 
Introduction to Cyber Security
Introduction to Cyber SecurityIntroduction to Cyber Security
Introduction to Cyber Security
 
Cybersecurity of Physical Systems
Cybersecurity of Physical Systems Cybersecurity of Physical Systems
Cybersecurity of Physical Systems
 

Último

UiPath Clipboard AI: "A TIME Magazine Best Invention of 2023 Unveiled"
UiPath Clipboard AI: "A TIME Magazine Best Invention of 2023 Unveiled"UiPath Clipboard AI: "A TIME Magazine Best Invention of 2023 Unveiled"
UiPath Clipboard AI: "A TIME Magazine Best Invention of 2023 Unveiled"DianaGray10
 
UiPath Studio Web workshop series - Day 5
UiPath Studio Web workshop series - Day 5UiPath Studio Web workshop series - Day 5
UiPath Studio Web workshop series - Day 5DianaGray10
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
Valere | Digital Solutions & AI Transformation Portfolio | 2024
Valere | Digital Solutions & AI Transformation Portfolio | 2024Valere | Digital Solutions & AI Transformation Portfolio | 2024
Valere | Digital Solutions & AI Transformation Portfolio | 2024Alexander Turgeon
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDELiveplex
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 
The Kubernetes Gateway API and its role in Cloud Native API Management
The Kubernetes Gateway API and its role in Cloud Native API ManagementThe Kubernetes Gateway API and its role in Cloud Native API Management
The Kubernetes Gateway API and its role in Cloud Native API ManagementNuwan Dias
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
100+ ChatGPT Prompts for SEO Optimization
100+ ChatGPT Prompts for SEO Optimization100+ ChatGPT Prompts for SEO Optimization
100+ ChatGPT Prompts for SEO Optimizationarrow10202532yuvraj
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?IES VE
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 

Último (20)

UiPath Clipboard AI: "A TIME Magazine Best Invention of 2023 Unveiled"
UiPath Clipboard AI: "A TIME Magazine Best Invention of 2023 Unveiled"UiPath Clipboard AI: "A TIME Magazine Best Invention of 2023 Unveiled"
UiPath Clipboard AI: "A TIME Magazine Best Invention of 2023 Unveiled"
 
UiPath Studio Web workshop series - Day 5
UiPath Studio Web workshop series - Day 5UiPath Studio Web workshop series - Day 5
UiPath Studio Web workshop series - Day 5
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
20230104 - machine vision
20230104 - machine vision20230104 - machine vision
20230104 - machine vision
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
Valere | Digital Solutions & AI Transformation Portfolio | 2024
Valere | Digital Solutions & AI Transformation Portfolio | 2024Valere | Digital Solutions & AI Transformation Portfolio | 2024
Valere | Digital Solutions & AI Transformation Portfolio | 2024
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 
The Kubernetes Gateway API and its role in Cloud Native API Management
The Kubernetes Gateway API and its role in Cloud Native API ManagementThe Kubernetes Gateway API and its role in Cloud Native API Management
The Kubernetes Gateway API and its role in Cloud Native API Management
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
100+ ChatGPT Prompts for SEO Optimization
100+ ChatGPT Prompts for SEO Optimization100+ ChatGPT Prompts for SEO Optimization
100+ ChatGPT Prompts for SEO Optimization
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 

securitymaxims

  • 1. Roger G. Johnston, Ph.D., CPP Vulnerability Assessment Team Argonne National Laboratory [email_address] 630-252-6168 http://www.ne.anl.gov/capabilities/vat Physical Security Maxims VAT
  • 2. The following maxims, based on our experience with physical security, nuclear safeguards, & vulnerability assessments, are not absolute laws or theorems, but they will be essentially correct 80-90% of the time. Security Maxims
  • 3. Infinity Maxim : There are an unlimited number of security vulnerabilities for a given security device, system, or program, most of which will never be discovered (by the good guys or bad guys). Arrogance Maxim : The ease of defeating a security device or system is proportional to how confident/arrogant the designer, manufacturer, or user is about it, and to how often they use words like “impossible” or “tamper-proof”. Ignorance is Bliss Maxim : The confidence that people have in security is inversely proportional to how much they know about it. Security Maxims
  • 4. Be Afraid, Be Very Afraid Maxim : If you’re not running scared, you have bad security or a bad security product. High-Tech Maxim : The amount of careful thinking that has gone into a given security device, system, or program is inversely proportional to the amount of high-technology it uses. Schneier’s Maxim #1 : The more excited people are about a given security technology, the less they understand (1) that technology and (2) their own security problems. Low-Tech Maxim : Low-tech attacks work (even against high-tech devices and systems). Security Maxims
  • 5. Father Knows Best Maxim : The amount that (non-security) senior managers in any organization know about security is inversely proportional to (1) how easy they think security is, and (2) how much they will micro-manage security and invent arbitrary rules. Huh Maxim : When a (non-security) senior manager, bureaucrat, or government official talks publicly about security, he or she will usually say something stupid, unrealistic, inaccurate, and/or naïve. Voltaire’s Maxim : The problem with common sense is that it is not all that common. Security Maxims
  • 6. Yipee Maxim : There are effective, simple, & low-cost counter- measures (at least partial countermeasures) to most vulnerabilities. Arg Maxim : But users, manufacturers, managers, & bureaucrats will be reluctant to implement them for reasons of inertia, pride, bureaucracy, fear, wishful thinking, and/or cognitive dissonance. Show Me Maxim : No serious security vulnerability, including blatantly obvious ones, will be dealt with until there is overwhelming evidence and widespread recognition that adversaries have already catastrophically exploited it. In other words, “significant psychological (or literal) damage is required before any significant security changes will be made”. Security Maxims
  • 7. I Just Work Here Maxim : No salesperson, engineer, or executive of a company that sells security products or services is prepared to answer a significant question about vulner- abilities, and few potential customers will ever ask them one. Bob Knows a Guy Maxim : Most security products and services will be chosen by the end-user based on purchase price plus hype, rumor, innuendo, hearsay, and gossip. Familiarity Maxim : Any security technology becomes more vulnerable to attacks when it becomes more widely used, and when it has been used for a longer period of time. Security Maxims
  • 8. Antique Maxim : A security device, system, or program is most vulnerable near the end of its life. Payoff Maxim : The more money that can be made from defeating a technology, the more attacks, attackers, and hackers will appear. I Hate You Maxim 1 : The more a given technology is despised or distrusted, the more attacks, attackers, and hackers will appear. I Hate You Maxim 2 : The more a given technology causes hassles or annoys security personnel, the less effective it will be. Security Maxims
  • 9. Shannon’s (Kerckhoffs’) Maxim : The adversaries know and understand the security hardware and strategies being employed. Corollary to Shannon’s Maxim : Thus, “Security by Obscurity”, i.e., security based on keeping long-term secrets, is not a good idea. Gossip Maxim : People and organizations can’t keep secrets. Plug into the Formula Maxim : Engineers don’t understand security. They think nature is the adversary, not people. They tend to work in solution space, not problem space. They think systems fail stochastically, not through deliberate, intelligent, malicious intent. Security Maxims
  • 10. Rohrbach’s Maxim : No security device, system, or program will ever be used properly (the way it was designed) all the time. Rohrbach Was An Optimist Maxim : Few security devices, systems, or programs will ever be used properly. Insider Risk Maxim : Most organizations will ignored or seriously underestimate the threat from insiders. We Have Met the Enemy and He is Us Maxim : The insider threat from careless or complacent employees & contractors exceeds the threat from malicious insiders (though the latter is not negligible.) Security Maxims
  • 11. Troublemaker Maxim : The probability that a security professional has been marginalized by his or her organization is proportional to his/her skill, creativity, knowledge, competence, and eagerness to provide effective security. Feynman’s Maxim : An organization will fear and despise loyal vulnerability assessors and others who point out vulnerabilities or suggest security changes more than malicious adversaries. Irresponsibility Maxim : It’ll often be considered “irresponsible” to point out security vulnerabilities (including the theoretical possibility that they might exist), but you’ll rarely be called irresponsible for ignoring or covering them up. Security Maxims
  • 12. Backwards Maxim : Most people will assume everything is secure until provided strong evidence to the contrary--exactly backwards from a reasonable approach. You Could’ve Knocked Me Over with a Feather Maxim 1 : Security managers, manufacturers, vendors, and end users will always be amazed at how easily their security products or programs can be defeated. You Could’ve Knocked Me Over with a Feather Maxim 2 : Having been amazed once, security managers, manufacturers, vendors, and end users will be equally amazed the next time around. Security Maxims
  • 13. That’s Why They Pay Us the Big Bucks Maxim : Security is nigh near impossible. It’s extremely difficult to stop a determined adversary. Often the best you can do is discourage him, and maybe minimize the consequences when he does attack. Throw the Bums Out Maxim : An organization that fires high- level security managers when there is a major security incident, or severely disciplines or fires low-level security personnel when there is a minor incident, will never have good security. Better to be Lucky than Good Maxim: Most of the time when security appears to be working, it’s because no adversary is currently prepared to attack. Security Maxims
  • 14. A Priest, a Minister, and a Rabbi Maxim : People lacking imagination, skepticism, and a sense of humor should not work in the security field. Mr. Spock Maxim : The effectiveness of a security device, system, or program is inversely proportional to how angry or upset people get about the idea that there might be vulnerabilities. Double Edge Sword Maxim : Within a few months of its availability, new technology helps the bad guys at least as much as it helps the good guys. Security Maxims
  • 15. Mission Creep Maxim : Any given device, system, or program that is designed for inventory will very quickly come to be viewed--quite incorrectly--as a security device, system, or program. We’ll Worry About it Later Maxim : Effective security is difficult enough when you design it in from first principles. It almost never works to retrofit it in, or to slap security on at the last minute, especially onto inventory technology. Somebody Must’ve Thought It Through Maxim : The more important the security application, the less careful and critical thought has gone into it. Security Maxims
  • 16. Security Maxims That’s Entertainment Maxim: Ceremonial Security (a.k.a. “ Security Theater”) will usually be confused with Real Security; even when it is not, it will be favored over Real Security. Schneier’s Maxim #2 : Control will usually get confused with Security. Ass Sets Maxim : Most security programs focus on protecting the wrong assets.
  • 17. Security Maxims Vulnerabilities Trump Threats Maxim : If you know the vulnerabilities (weaknesses), you’ve got a shot at understanding the threats (the probability that the weaknesses will be exploited and by whom). Plus you might even be ok if you get the threats all wrong. But if you focus mostly on the threats, you’re probably in trouble.
  • 18. Security Maxims Mermaid Maxim:  The most common excuse for not fixing security vulnerabilities is that they simply can't exist. Onion Maxim:  The second most common excuse for not fixing security vulnerabilities is that "we have many layers of security", i.e., we rely on "Security in Depth". Hopeless Maxim:  The third most common excuse for not fixing security vulnerabilities is that "all security devices, systems, and programs can be defeated".  (This is typically expressed by the same person who initially invoked the Mermaid Maxim.) 
  • 19. Security Maxims Takes One to Know One Maxim:  The fourth most common excuse for not fixing security vulnerabilities is that “our adversaries are too stupid and/or unresourceful to figure that out.” Depth, What Depth? Maxim :  For any given security program, the amount of critical, skeptical, and intelligence thinking that has been undertaken is inversely proportional to how strongly the strategy of "Security in Depth" (layered security) is embraced.