SecurityCertified

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Sunday, May 30, 2010

Digital Security Is Not Just an Engineering Problem

Posted on 7:23 PM by Unknown
Recently I participated in a small meeting involving a cross-section of people interested in digital security and public policy. During the meeting one of the participants voiced the often-repeated but, in my opinion, misguided notion that the primary problem with digital security is "design." In other words, "the Internet was not designed to be secure." If the Internet was not designed to be secure, all applications are "built on a foundation of sand" and therefore can never be "secure."

This is a typical "engineering" mentality applied to digital security. I do not agree with it. You might think it's because I'm not a "professional engineer." Strangely enough, at USAFA I took classes in chemistry, physics (two courses), math (calc III and diff eq), thermodynamics, and five pure engineering courses (electrical, mechanical, civil, aeronautical, astronautical) plus the dreaded Academy "capstone" course -- all of which would qualify me for a minor in engineering at a "normal" college. Still, I do not think digital security is an engineering problem.

My opinion does not mean that engineering has no role. On the contrary, good engineering helps reduce vulnerabilities and exposures. Unfortunately, that focus only affects part of the risk equation. Focusing only on engineering completely ignores the threat, which in my judgement is the biggest problem with digital security today.

You know what prompted me to write this post? It was Security Engineering Is Not The Solution to Targeted Attacks by Charles Smutz, a professional software developer who creates custom security tools for a large defense contractor. Charles wrote:

[B]laming security engineering for the impact of targeted attacks is [a] herring as red as they come. A world where security engineering actually tried to solve highly targeted and determined attackers would not be a fun place in which to live. In absence of other solutions, an intelligence driven incident response model is your best bet.

You know I agree with that.

Charles wrote his post to refute Security engineering: broken promises by Michal Zalewski. Michal is a really smart security researcher but I agree with Charles that Michal has also fallen for the "security as design problem" mentality.

If you want to know what I think works, please consult my 2007 post Threat Deterrence, Mitigation, and Elimination.
Email ThisBlogThis!Share to XShare to Facebook
Posted in | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • DojoCon Videos Online
    Props to Marcus Carey for live streaming talks from DojoCon . I appeared in my keynote , plus panels on incident response and cloud secur...
  • Practice of Network Security Monitoring Table of Contents
    Since many of you have asked, I wanted to provide an updated Table of Contents for my upcoming book, The Practice of Network Security Monito...
  • Mandiant APT1 Report: 25 Best Commentaries of the Last 12 Days
    Two weeks ago today our team at Mandiant was feverishly preparing the release of our APT1 report . In the twelve days that followed public...
  • Feedback from Network Security Monitoring 101 Classes
    At Black Hat in Las Vegas I taught two Network Security Monitoring 101 (NSM101) classes. This is a new class that I developed this year, a...
  • A Book for the Korean Cyber Armies
    I've got a book for the Korean cyber armies, North and South. That's right, it's my first book , The Tao of Network Security Mo...
  • What is Cloud?
    The slide at left was one of my favorites from Craig Balding's Cloud Security Ghost Story talk from Black Hat EU earlier this year. I ...
  • SQL Injection Challenge and Time-Based Security
    Thanks to this Tweet by @ryancbarnett, I learned of the lessons learned of the Level II component of the ModSecurity SQL Injection Challen...
  • Bejtlich Speaking at TechTarget Emerging Threats Events in Seattle and New York
    I will be speaking at two events organized by TechTarget , for whom I used to write my Snort Report and Traffic Talk articles. The one-da...
  • BeyondTrust Report on Removing Administrator: Correct?
    Last week BeyondTrust published a report titled BeyondTrust 2009 Microsoft Vulnerability Analysis . The report offers several interesting ...
  • President Obama Is Right On US-China Hacking
    I strongly recommend watching the excerpt on the Charlie Rose show titled Obama: Blunt Conversation With China on Hacking . I reproduced the...

Categories

  • afcert
  • Air Force
  • analysis
  • announcement
  • apt
  • attribution
  • bestbook
  • blackhat
  • books
  • breakers
  • bro
  • bruins
  • certification
  • china
  • cisco
  • cissp
  • cloud
  • clowns
  • commodore
  • conferences
  • controls
  • correlation
  • counterintelligence
  • cybercommand
  • cyberwar
  • dfm
  • education
  • engineering
  • feds
  • fisma
  • freebsd
  • GE
  • ge-cirt
  • hakin9
  • history
  • impressions
  • information warfare
  • ipv6
  • law
  • leadership
  • malware
  • mandiant
  • microsoft
  • mssp
  • nsm
  • offense
  • oisf
  • packetstash
  • philosophy
  • pirates
  • powerpoint
  • press
  • psirt
  • reading
  • redteam
  • reviews
  • russia
  • sans
  • sec
  • sguil
  • snorby
  • spying
  • threat model
  • threats
  • Traffic Talk
  • training
  • tufte
  • tv
  • ubuntu
  • usenix
  • verizon
  • vulnerabilities
  • wisdom
  • writing

Blog Archive

  • ►  2013 (16)
    • ►  September (1)
    • ►  August (1)
    • ►  June (2)
    • ►  April (2)
    • ►  March (1)
    • ►  February (3)
    • ►  January (6)
  • ►  2012 (60)
    • ►  December (4)
    • ►  November (5)
    • ►  October (3)
    • ►  September (10)
    • ►  August (2)
    • ►  July (6)
    • ►  June (6)
    • ►  May (4)
    • ►  April (2)
    • ►  March (9)
    • ►  February (6)
    • ►  January (3)
  • ►  2011 (108)
    • ►  December (3)
    • ►  November (7)
    • ►  October (11)
    • ►  September (9)
    • ►  August (18)
    • ►  July (10)
    • ►  June (5)
    • ►  May (4)
    • ►  April (13)
    • ►  March (17)
    • ►  February (2)
    • ►  January (9)
  • ▼  2010 (193)
    • ►  December (14)
    • ►  November (11)
    • ►  October (6)
    • ►  September (16)
    • ►  August (15)
    • ►  July (26)
    • ►  June (15)
    • ▼  May (15)
      • National Security Strategy is Empty on "Cyberspace"
      • Digital Security Is Not Just an Engineering Problem
      • "Privacy" vs "Security" or Privacy AND Security
      • More Evidence Military Will Eventually Defend Civi...
      • SANS WhatWorks Summit in Forensics and Incident Re...
      • Forget Pre-Incident Cost, How Much Did Your Last I...
      • More on Black Hat Costs
      • Watch Your WHOIS Entries
      • Review of Masters of Deception Posted
      • Review of Cyberpunk Posted
      • Review of The Hacker Crackdown Posted
      • Everything I Need to Know About Leadership I Learn...
      • Papers Not PowerPoint, Plus Tips for Improvement
      • Bejtlich to Speak at SANS Forensics and Incident R...
      • The Face of Information Warfare
    • ►  April (15)
    • ►  March (16)
    • ►  February (19)
    • ►  January (25)
  • ►  2009 (123)
    • ►  December (10)
    • ►  November (17)
    • ►  October (21)
    • ►  September (13)
    • ►  August (20)
    • ►  July (21)
    • ►  June (21)
Powered by Blogger.

About Me

Unknown
View my complete profile