Security's Everyman

Security's Everyman

Wednesday, July 09, 2008

Don't bring a gun to a knife fight

This story on was just too good to pass up. I had to find some way to tie it into information security. It seems that this woman had seen one too many mice and decided that the best way to deal with them is Clint Eastwood style. Bring out the 44 Magnum and see what damage can be done. Fortunately for the mice the only real damage was done to the woman and her friend. My favorite quote from the story is this "The mice escaped the shooting unharmed".

Companies often approach security issues in a similar fashion. They have incidents (virus, web site defacement, lost tape, etc) and they let it go for a while without doing much about it and then all of a sudden they react or more likely overreact. They start doing things like full disk encryption or deploying a new $80,000 device without doing a risk analysis or determining what else could be done to mitigate the problem in a way that better serves the company.

For example, the company that I work for has lots of laptop users. They take their laptops home, on vacation, leave them on their desk, go to the coffee shop, etc. There is a good chance that someone will lose or have their laptop stolen. Is full disk encryption something that I need to deploy to all laptop users? Maybe. Maybe not. When you look at the fact that very little data that we have is not freely accessible through open records requests then that reduces the chance that a lost or stolen laptop will have sensitive data. So do I spend 10's of thousands of dollars on FDE or do I ensure that the data is protected using what we already have? Do I put things in place that makes it very difficult for users to get data that they are not supposed to have? Then I reduce the footprint of laptops needing FDE and make it more manageable and affordable.

This is just one example of how a "obvious" answer to a problem may not really be the best answer. Just as using a 44 Magnum isn't the best way to get rid of mice.

The information security industry is stuck in a rut and needs to stop and reconsider what and why it is doing things. It needs to step back and get a fresh view of things before making a decision or a recommendation. Those of us who are in the industry need to think instead of react and we need to lead the charge within our companies when other departments or management starts of bring a gun to a knife fight. Don't be afraid to challenge the status quo and to be to one who challenges conventional thinking.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.