Cargo Cult Security

René Pfeiffer/ August 21, 2011/ High Entropy, Stories

Here is a fictional story for you that bear no resemble to any living, dead or undead persons whatsoever. Imagine someone who is interested in establishing and maintaining a „medium“ to „high“ level of security for his or her business data. This person is a power user and uses harddisk encryption, an encrypted file server, access to internal data by VPN and GPG/PGP for communication. So far so good. Now for the bad news: untrusted devices without security software may also access internal resources and shiny new workstations run without anti-virus protection or firewalls. Questions about potential risks are ignored, suggestions to periodically check the security measures vanish into the big e-mail void, too. What is wrong with this picture?

Well, given that all of this is purely fictional, some one you might recognise the pattern. Securing infrastructure and data boils down to rituals. „Look there, I picked a wonderful password! It’s got 17 randomly selected characters.“ „See how I encrypted my harddisk! I’m done with securing things now.“ „I don’t need to run anti-XYZ software, because this operating system is so cool/rare/new/secure. Hackers will take years to adapt!“ Some of these phrases may cause physical pain in sysadmins (the goods ones at least) and lets junior security researchers faint (more experience researchers just shake their heads and write their next advisory instead). Yet a lot of people pick a weird mixture of security tools, carelessness and laziness. It’s almost like the rituals of the cargo cults in the Pacific. You pick some token measures that document your good intentions, and then you stop and do what you usually do (or never should do at all). The combination of a fairly well secured desktop and a wide-open smartphone will full access to „highly-secured“ mailboxes and calendar servers is a good example (ever tried to do security consulting with CEOs?).

Granted, not everyone needs a high level of security, but everyone should sit down and think about risks that apply. Tools are always second! First thinking about what might happen and what one doesn’t want to happen, and then applying security measures right down to your phone/tablet/gadgets. Once you break your rules and deviate from your plan, make sure you revisit the risks you are willing to take. If you don’t, cargo cult rituals are definitely cheaper and easier to maintain.

Share this Post

About René Pfeiffer

System administrator, lecturer, hacker, security consultant, technical writer and DeepSec organisation team member. Has done some particle physics, too. Prefers encrypted messages for the sake of admiring the mathematical algorithms at work.