Security Maxims

From Roger Johnston, funny -- and all too true -- stuff.

Posted on September 26, 2008 at 12:42 PM • 36 Comments

Comments

mSeptember 26, 2008 12:52 PM

Great link. However, in the future could you kindly give some type of notice when the link is to a download as opposed to a html/pdf type document?

Brandioch ConnerSeptember 26, 2008 1:18 PM

And they reference you.

"Schneier’s Maxim #1: The more excited people are about a given security technology, the less they understand (1) that technology and (2) their own security problems."

MarkSeptember 26, 2008 1:24 PM

I agree that there ought to be some kind of notice. Like, I don't know, maybe the URL could end in some kind of special code, like ".ppt" or something...

I kid, I kid.

ChazSeptember 26, 2008 1:44 PM

I don't have a way to display a Powerpoint file. Can someone post a link to something normal, or put the text in a post?

ArchAngelSeptember 26, 2008 2:11 PM

Chaz: OK, but if I later find this in my email inbox as a chain letter making the rounds there will be hell to pay:

Physical Security Maxims
Roger G. Johnston, Ph.D., CPP

Security Maxims
The following maxims, based on our experience with physical
security, nuclear safeguards, & vulnerability assessments, are
not absolute laws or theorems, but they will be essentially
correct 80-90% of the time.

Infinity Maxim: There are an unlimited number of security
vulnerabilities for a given security device, system, or program,
most of which will never be discovered (by the good guys or
bad guys).

Arrogance Maxim: The ease of defeating a security device
or system is proportional to how confident/arrogant the designer,
manufacturer, or user is about it, and to how often they use
words like “impossible” or “tamper-proof”.

Ignorance is Bliss Maxim: The confidence that people have in
security is inversely proportional to how much they know about it.


Be Afraid, Be Very Afraid Maxim: If you’re not running
scared, you have bad security or a bad security product.

High-Tech Maxim: The amount of careful thinking that has
gone into a given security device, system, or program is
inversely proportional to the amount of high-technology it uses.

Schneier’s Maxim #1: The more excited people are about a given
security technology, the less they understand (1) that technology
and (2) their own security problems.

Low-Tech Maxim: Low-tech attacks work (even against
high-tech devices and systems).

Father Knows Best Maxim: The amount that (non-security)
senior managers in any organization know about security is
inversely proportional to (1) how easy they think security is,
and (2) how much they will micro-manage security and
invent arbitrary rules.

Huh Maxim: When a (non-security) senior manager,
bureaucrat, or government official talks publicly about security,
he or she will usually say something stupid, unrealistic, inaccurate,
and/or naïve.

Voltaire’s Maxim: The problem with common sense is that
it is not all that common.

Yipee Maxim: There are effective, simple, & low-cost counter-
measures (at least partial countermeasures) to most vulnerabilities.

Arg Maxim: But users, manufacturers, managers, & bureaucrats
will be reluctant to implement them for reasons of inertia, pride,
bureaucracy, fear, wishful thinking, and/or cognitive dissonance.

Show Me Maxim: No serious security vulnerability, including
blatantly obvious ones, will be dealt with until there is overwhelming
evidence and widespread recognition that adversaries have already
catastrophically exploited it. In other words, “significant
psychological (or literal) damage is required before any significant
security changes will be made”.

I Just Work Here Maxim: No salesperson, engineer, or
executive of a company that sells security products or services
is prepared to answer a significant question about vulner-
abilities, and few potential customers will ever ask them one.

Bob Knows a Guy Maxim: Most security products and services
will be chosen by the end-user based on purchase price plus
hype, rumor, innuendo, hearsay, and gossip.

Familiarity Maxim: Any security technology becomes more
vulnerable to attacks when it becomes more widely used, and
when it has been used for a longer period of time.

Antique Maxim: A security device, system, or program
is most vulnerable near the end of its life.

Payoff Maxim: The more money that can be made from
defeating a technology, the more attacks, attackers, and hackers
will appear.

I Hate You Maxim 1: The more a given technology is despised
or distrusted, the more attacks, attackers, and hackers will appear.

I Hate You Maxim 2: The more a given technology causes
hassles or annoys security personnel, the less effective it will be.

Shannon’s (Kerckhoffs’) Maxim: The adversaries know and
understand the security hardware and strategies being employed.

Corollary to Shannon’s Maxim: Thus, “Security by Obscurity”,
i.e., security based on keeping long-term secrets, is not a good idea.

Gossip Maxim: People and organizations can’t keep secrets.

Plug into the Formula Maxim: Engineers don’t understand
security. They think nature is the adversary, not people. They
tend to work in solution space, not problem space. They think
systems fail stochastically, not through deliberate, intelligent,
malicious intent.

Rohrbach’s Maxim: No security device, system, or program
will ever be used properly (the way it was designed) all the time.

Rohrbach Was An Optimist Maxim: Few security devices,
systems, or programs will ever be used properly.

Insider Risk Maxim: Most organizations will ignored or
seriously underestimate the threat from insiders.

We Have Met the Enemy and He is Us Maxim: The insider
threat from careless or complacent employees & contractors
exceeds the threat from malicious insiders (though the latter is
not negligible.)


Mission Creep Maxim: Any given device, system, or program
that is designed for inventory will very quickly come to be
viewed--quite incorrectly--as a security device, system, or program.

We’ll Worry About it Later Maxim: Effective security is
difficult enough when you design it in from first principles. It
almost never works to retrofit it in, or to slap security on at the last
minute, especially onto inventory technology.

Somebody Must’ve Thought It Through Maxim: The more
important the security application, the less careful and critical
thought has gone into it.


That’s Entertainment Maxim: Ceremonial Security (a.k.a.
“Security Theater”) will usually be confused with Real Security;
even when it is not, it will be favored over Real Security.

Schneier’s Maxim #2: Control will usually get confused with Security.

Ass Sets Maxim: Most security programs focus on protecting the wrong assets.

Vulnerabilities Trump Threats Maxim: If you know the
vulnerabilities (weaknesses), you’ve got a shot at understanding
the threats (the probability that the weaknesses will be exploited
and by whom). Plus you might even be ok if you get the threats
all wrong. But if you focus mostly on the threats, you’re probably
in trouble.


Mermaid Maxim:  The most common excuse for not fixing security vulnerabilities is that they simply can't exist.

Onion Maxim:  The second most common excuse for not fixing security vulnerabilities is that "we have many layers of security", i.e., we rely on "Security in Depth".

Hopeless Maxim:  The third most common excuse for not fixing security vulnerabilities is that "all security devices, systems, and programs can be defeated".  (This is typically expressed by the same person who initially invoked the Mermaid Maxim.) 

Takes One to Know One Maxim:  The fourth most common excuse for not fixing security vulnerabilities is that “our adversaries are too stupid and/or unresourceful to figure that out.”

Depth, What Depth? Maxim:  For any given security program, the amount of critical, skeptical, and intelligence thinking that has been undertaken is inversely proportional to how strongly the strategy of "Security in Depth" (layered security) is embraced.

RoySeptember 26, 2008 2:22 PM

@ArchAngel

Thanks for decoding the '.ppt'. For security reasons, I maintain a Microsoft-free workspace.

bobSeptember 26, 2008 2:26 PM

@Roy: From now on I will too; I had the lack of sense to buy a Vista laptop; the other day I installed SP1 and broke pretty much every application on it.

yd betzoPSeptember 26, 2008 3:26 PM

Thanks ArchAngel.

Some of these can be summarized as 'security by luck' and 'security by magic'. May be the latter is also the former.

Clive RobinsonSeptember 26, 2008 3:56 PM

The Roger Johnston missed,

Marketing Trumps functionality maxim : For any given product Marketing features will always be of a higher priority than basic functionality.

And,

Optomised security maxim : the more you optomise a security system or process the more insecure it becomes.

Efficiency leaks maxim : the more efficient you make a system or process the more information it leaks via side channels.

Detect and delay respond maxim : physical security assumes that an effective system detects an attack and delays the attackers longer than the response time to the attack. Almost invariably information security is not designed this way.

There are several others I can think of perhaps Bruce should start a competition

Brad LhotskySeptember 26, 2008 3:57 PM

Thanks for the heads up. After having the CISO of my org essentially tell our administrative office "shoot him up or fire him." I certainly appreciate:

'Troublemaker Maxim: The probability that a security professional has been marginalized by his or her organization is proportional to his/her skill, creativity, knowledge, competence, and eagerness to provide effective security.'

Made my day.

BenSeptember 26, 2008 5:19 PM

Personal favorite addition would be;
Yogi Maxim: "In theory, there is no difference between theory and practice. But, in practice, there is."

2InsecureGodsSeptember 26, 2008 7:17 PM

ArchAngel, A great list there. Perhaps one to add, OpenBSD backup Maxim: When the crap its the fan, we will order an OpenBSD CD, and download some packages, and all will be secure again. Thanks for the listing, in the comments, makes things easier.
Nice handle, you wear whitesuits all the time?
Security is such an ugly art and ugly thing, it makes you remember the movie, The Entity. Grr. No wonder all live in denial with it. People can handle only so much. Another Maxim perhaps: The Entity.
Good Article/comments, too bad some in power do not have this as a poster in their office.

Penguin PeteSeptember 26, 2008 7:24 PM

Are you serious? You posted a PowerPoint as your blog post? No warning, the heck with anybody who doesn't run it? And then got it onto Reddit?

What's in it? Cut-n-pasted lines from some document at textfiles.com?

Clive RobinsonSeptember 27, 2008 5:34 AM

@ Xiretsa,

The "chumpingstones.com" site you refrence is an example of "how not to" for websites.

Basically it's colour scheme breaks the basic design rules for sites by requiring the use of a high end browser to read the "text"...

If you try and use it from a more limited browser such as those found in mobile devices (and older PCs) all you get to see is a very long blue page.

It's why the W3C has design rules that should be adhered to ;)

Also for those that are mildly visually impared a lack of colour contrast is a real "turn away"

Oh and in some parts of the world it would be in breach of disability legislation...

Ho hum what's that Maxim about "Style trumps functionality" 8)

John MooreSeptember 27, 2008 10:40 AM

He forgot the Spolsky Maxim: The security product (with the best stylish GUI) is purchased based on appearance, and not efficacy, by people who will never use it.

MarqOfTheCodeSeptember 27, 2008 10:16 PM

BECAUSE-I-SAID-I-WON'T-LET-YOU MAXIM:

Threatening as security is better than any security:

"Copyright 2008 The Associated Press. The information contained in AP news report[s] may not be published, broadcast, rewritten or otherwise distributed without the prior written authority of The Associated Press. Active hyperlinks have been inserted by AOL."

It may be some really big [CENSORED] found by counting [CENSORED] that can't be [CENSORED]: (check it out, cause I can't tell you what it is; it says so!):

http://news.aol.com/article/...

Less than an hour ago ---

B-ConSeptember 27, 2008 11:07 PM

> Are you serious? You posted a PowerPoint as your blog post? No warning, the heck with anybody who doesn't run it? And then got it onto Reddit?

As Mark pointed out, we are in dire need of someone to come up with a method of examining a URL before clicking it. If only your browser showed a hyperlink URL in, say, the bottom left corner of your browser when you moused-over it. And most people have the ability to view PowerPoint presentations.

If you don't like it, don't view it. People use PowerPoint everywhere, you have to deal with it.

Clive RobinsonSeptember 27, 2008 11:07 PM

@ MarqOfTheCode,

I must admit that press reporting of GIMPS is getting a little yawn worthy these days. Afterall who is actually interested in the prime.

What is of interest to us "big O heads" is not the result or the why but the how ;)

Clive RobinsonSeptember 27, 2008 11:35 PM

@ B-Con,

"If only your browser showed a hyperlink URL in, say, the bottom left corner of your browser when you moused-over it."

Not all browsers do this, infact quite a few modern browsing platforms don't have mice either.

To my anoyance the "mobile platform" I use effectivly lacks both these features as do a lot of mobile phone browsers. I guess it's the price you pay for an "in your pocket" solution. Forinstance to display a link you first have to select it and then display it in an SMS not the browser...

Why do I use it well, there are a large number of places where it is practical to use a mobile phone and not a power hungry laptop or lillputer (net books etc).

For instance hospital beds. In the U.K. they have kind of stopped arguing about mobile phones and even accept you pluging in the charger as long as you are not obvious about it. But you try using a laptop computer and it's charger and "no way jose" it's a high value item that has to be locked up or an MRSA risk or... Belive me I've be given all sorts of excuses. The only one close to the truth was from a (medical) consultant who was sympathising in a typicaly British way with "It's the same as the food, managment don't want you enjoying yourself otherwise you might decide to stay".

Being ill "sucks" in many ways, but Internet amputation is akin to "sensory depravation" in this modern connected world. The hospital solution is to provide a pay per click media solution at wallet whacking fees. As the used to say in the U.S. "No taxation without representation".

csrsterSeptember 29, 2008 1:42 AM

What the world _really_ needs is some kind of open source cross-platform program that could display powerpoints. A sort of Open version of Office.

JJSeptember 29, 2008 5:17 AM

@csrster:
What the world _really_ needs is some kind of open source cross-platform program that could display powerpoints. A sort of Open version of Office.
--

It would be great if it was even named "OpenOffice". Too bad no such thing is available.

AndréSeptember 29, 2008 5:34 AM

@csrster & B-Con and all the rest alike:

may you please tell us why we shall need to have installed an external program or special plugin or whatever, to - after downloading and virus-scanning - be able to view ... uhm ... text, color and maybe pictures?
May I remind you, that the ... uhm ... simplest browser thinkable would be able to do this on its own if just people stopped uploading strange file-formats and started using HTML?

So what we really need is people (authors and commentators alike) with some common sense ... but that may be in contradiction to Voltaires Maxim ...

@Bruce: thx for posting, gave me quite a good laugh

André

SethSeptember 29, 2008 8:31 AM

I Hate You Maxim 2: The more a given technology causes hassles or annoys security personnel, the less effective it will be.

I would have put it the other way: The more a given technology causes hassles or annoys non-security personnel, the less effective it will be.

(If people have to change their passwords every 30 days, a significant fraction will use the month.)

SteveSeptember 29, 2008 12:14 PM

Far as I can tell, the "Vulnerabilities Trump Threats Maxim" conflicts with Schneier's standard counter-terrorism advice (potential targets are infinite, potential routes of attack are infinite, focus on actionable intelligence about aspiring terrorist attacks instead of checking liquid boarding airplanes). That doesn't invalidate either point, but it's interesting to ponder.

DavidSeptember 30, 2008 4:24 AM

@Steve

Actually I would sugest that 'Schneier's standard counter-terrorism advice' is a classic example of 'Vulnerabilities Trump Threats Maxim'. The current stupidity tries to deal with specific known (by previous attempt - failed/flawed or otherwise) threats.

Whereas if you look a where we are Vulnerable to terrorist you quickly come up with - where ever large (>50 say) numbers of people congregate. Your can't possibly protect/secure that so you are lead to the better option of trying spending money on trying to find likely attackers(finally a finite number).

bobSeptember 30, 2008 6:42 AM

@Seth: Oooh. I am embarrassed to admit I never thought of using the month. And now that they have raised the minimum length of a pw to FIFTEEN I need something to pad "password1" with - that would be great.

I think there is a bell curve to security vs password length; it steeply increases from 1-8, levels off around 10 then starts decreasing once you get above that because you have to write it down, use REALLY memorable subwords, you screw it up enough that shoulder surfers get many tries to watch you, etc.

Besides since hashes of a fixed length are stored rather than actual passwords, once you get past a certain pw length it is easier to hack the account by attacking the hash rather than the password. (ie find a hash collision).

Adam BottjenNovember 13, 2009 5:55 PM

Paranoia Maxim: An individual who leverages a different set of tools to increase overall privacy or security is often considered Paranoid. Even if it is generally accepted that the things they are paranoid about are legitimate security threats.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..