Cargo Cult Security
Here is a fictional story for you that bears no resemblance to any living, dead, or undead persons whatsoever. Imagine someone who is interested in establishing and maintaining a „medium“ to „high“ level of security for his or her business data. This person is a power user and uses hard disk encryption, an encrypted file server, access to internal data by VPN and GPG/PGP for communication. So far, so good. Now for the bad news: untrusted devices without security software may also access internal resources and shiny new workstations run without anti-virus protection or firewalls. Questions regarding potential risks go unnoticed, suggestions to periodically check the security measures also disappear into the vast void of email. What is wrong with this picture?
Well, given that all of this is purely fictional, someone you might recognise the pattern. Securing infrastructure and data boils down to rituals. „Look there, I picked a wonderful password! It’s got 17 randomly selected characters.“ „See how I encrypted my hard disk! I’m done with securing things now.“ „I don’t need to run anti-XYZ software, because this operating system is so cool/rare/new/secure. Hackers will take years to adapt!“ Some of these phrases may cause physical pain in sysadmins (the goods ones at least) and lets junior security researchers faint (more experience researchers just shake their heads and write their next advisory instead). Yet many people pick a weird mixture of security tools, carelessness and laziness. It’s almost like the rituals of the cargo cults in the Pacific. You pick some token measures that document your good intentions, and then you stop and do what you usually do (or never should do at all). The combination of a fairly well secured desktop and a wide-open smartphone will full access to „highly secured“ mailboxes and calendar servers is a good example (ever tried to do security consulting with CEOs?).
Granted, not everyone needs a high level of security, but everyone should sit down and think about risks that apply. Tools are always second! First, thinking about what might happen and what one doesn’t want to happen, and then applying security measures right down to your phone/tablet/gadgets. Once you break your rules and deviate from your plan, make sure you revisit the risks you are willing to take. If you don’t, cargo cult rituals are definitely cheaper and easier to maintain.