1

Roger G. Johnston, Ph.D., CPP

Jon S. Warner, Ph.D.

Eddie G. Bitzer, M.A.

Vulnerability Assessment TeamLos Alamos National Laboratory

rogerj@lanl.gov 505-667-7414

http://pearl1.lanl.gov/external/c-adi/seals

How to Design a Physical SecurityDevice, System, or Program

LAUR-07-5439

security improvement For which symbol (cost or hassle) security applications? meaning

high ratio all!

medium consider ratio for all

low mostly for ratio high security

Recommendation Ratings

Don’t rely on a mechanical tamper switch!*

If you’re going to use a mechanical tamper switch:• keep it away from the sides & slots• make it small • surround it with hardware to limit access• use a dog leg or rotation design• use non-square angles• protect the lever arm by surrounding it with a hardened or frangible tube.

Tamper Detection

2

Use a light sensor to detect room light, or a magneticsensor to detect lid opening or enclosure removal.

Provide photos of the actual circuit boards for the device that shipped.

Encourage users to inspect the outside of the device frequently (and tell them what to look for).*

Encourage users to inspect the insides of the device periodically (and tell them what to look for).

Serious thought needs to be given to the case.

Tamper Detection

Use frangible or other tamper-evident containers or enclosures. Use materials hard to glue, weld, solder, stick labels to, and/or repair: polyethylene,

polypropylene, glass, SS, aluminum, self-oiling brass.

Painted metal or anodized aluminum are not

tamper-indicating materials.

Use hardened materials: alumina & other modern ceramics, or quartz glass where helpful.

Tamper Detection

Use non-standard colors for plastics, paints, & coatings.

Consider wood and acrylic with embedded particles or

3D patterns.

If you are measuring electrical resistance to detect

tampering or intrusion, measure the true numeric value,

not just conductive or non-conductive.

Tamper Detection

3

Cradle-to-grave security of a security product is critical. A security device or system can be compromised in just a few seconds if left unattended on a loading dock, or left in storage by the end-user prior to installation.

Can your people be bribed to allow product tamperingor counterfeiting? Have you tested this?

How secure is your factory to break-in? Can you tellif someone has been making unauthorized parts orunits?

Factory, Vendor, Storage, & Shipping Security

No hinges on the outside!*

Don’t put a big, opaque, empty dial knob on a safe or other security device.

Protect & inspect the communications pipe.

Worry about low-tech attacks first.

Types of attacks to worry about: fault analysis, power analysis, buffer overflow, social engineering, watch and pounce, false alarming, time slip attacks,

etc.

Mechanical Design

Constantly remind yourself that “keys” (or badges,PINS, keypads, combinations, or biometrics) do

not open doors. They actuate some mechanism that opens the door. The adversary can usually bypass the need for a key.

Sophisticated access control devices are useless if the door can be popped open with a credit card, or

if someone can jump over the turnstile.

Don’t use cheap switches. Protect all switches!

Mechanical Design

4

Don’t leave lots of empty interior space. Use transparent space fillers.

Use transparent potting (or at least not a lot of unnecessary opaque potting).*

If appropriate, use thick metal enclosures to block rf emanations & signals from alien rf devices that may have been planted inside the security device.

On an electronic access control device, don’t make it easy to access the pins or wiring that open the

door or turnstile!

Mechanical Design

Have a simple front panel design so users can easily spot when something has been added.

Don’t have removable front panel components, or easy to remove access panels or covers.

Protect the keypad from unauthorized view.

Use keypads with random digits.

Don’t use cheap locks on a high security device!

All security units should not be keyed alike.

Mechanical Design

Don’t make servicing too easy.

Good security requires user-friendliness.

Don’t use the digits 0 or 1, or the letters i, o, or Lfor license numbers, activation codes, passwords,serial numbers, etc.

User Interface

A common mistake that people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools.

-- Douglas Adams (1952-2001)

5

So called “security screws” or “tamper-proofscrews” are for discouraging kids from disassembling restroom equipment on a lark. They are not forserious security.

Don’t use X-ray blocking material (e.g., barium sulfate)as a countermeasure to X-rays when the adversarycan easily determine details of the circuit or interior structure anyway.

Don’t be overly concerned with thermal attacks(except for cold attacks on electronics).

Security Theater (Ceremonial Security)

Don’t harden or strengthen parts when that adds nothing to security. Flimsy is often betterfor tamper detection.*

Don’t assume asynchronous operation or communication is more challenging to anadversary than synchronous. It doesn’t usually matter.

Simple photocell beam detectors are easily defeated.

Security Theater (Ceremonial Security)

Engineers typically don’t understand security issues,and are not psychologically predisposed to

thinking like bad guys.

Don’t let the design engineers build in all kindsof superfluous options and features because they can.

Complexity opens more avenues for attack.

Remember: Bad guys typically have access to the samedocumentation for the electronic components that the engineer does.

Engineers

6

Don’t use sockets for ICs or microprocessors! Solder instead.

Use multi-layer printed circuit boards.

Pay attention to the IC packaging used.

Minimize the number of JTAG and other test points. Don’t make them easy to access! Disable if possible.

Employ hardware and software to detect chip removal.

Electronics

Newer, cheap solid state sensors for detecting tampering & intrusion exist and should be used.

Coat circuit board and electronic components in a clear epoxy resin.

Uniquely serial number or otherwise tag criticalchips, memory, and microprocessors.

Avoid using binary sensors (open or closed only).

Use phase or frequency-modulated sensors to make splice/shunt attacks harder.

Electronics

Don’t make the microprocessors & memory easy to physically access!

Code Protect: Set the microprocessor security bit!

Don’t assume security bits will protect your product.

Store keys and other secret data on themicroprocessor, instead of external RAM.

Watch for attacks involving power loss, voltage drops, and rapid temperature changes.

Microprocessors

7

Remember: XOR’ing is not cryptography!

Don’t write overly straight-forward software.

Be wary of data remanence! Write data to the memory cells prior to use. Use constant rewriting and moving around of keys. Reprogram memory cells prior to erasing. Use the latest high-density storage devices.

Use custom communications protocols.

Microprocessors

Vulnerability Assessors should be involved in thedesign & development process early and throughout.

Have good controls for hardware & software changes.

Sensors should be guarding the microprocessor, electronics, and other sensors.

Field units: Disable or remove backdoors & diagnostics that useful during development. Think

carefully about the vulnerabilities introduced inallowing field diagnostics.

Other Design Issues

Design free samples & evaluation kits intelligently so as not to compromise security.

Use the anti-evidence approach for tamper & intrusion detection.

Think carefully about patenting security devices.

Pay attention to the market for used security devices and parts. (Check ebay!) Who is ordering spare parts and why?

Other Design Issues

8

An access control field unit should not have enrollment or total database downloading features built in for no reason.

Be wary of electromagnetic emanations from your security device or system!

Don’t confuse inventory with security. Don’t confuse high-tech with high-security.

RFIDs, contact memory buttons, & GPS are NOT security devices.

Other Design Issues

• rf tags (RFIDs)

• contact memory buttons

• GPS

Inventory ≠ SecurityHigh Tech ≠ High Security

Usually easy to:* lift* counterfeit* spoof the reader

Very easy to spoof, notjust jam!

GPS

• The private sector, foreigners, and 90+% of the federal

government must use the civilian GPS satellite signals.

• These are unencrypted and unauthenticated.

• They were never meant for critical or security applications,

yet GPS is being used that way!

The wireless telegraph is not difficult to understand.The ordinary telegraph is like a very long cat. Youpull the tail in New York, and it meows in Los Angeles.The wireless is the same, only without the cat. -- Albert Einstein (1879-1955)

9

Easy to do with widely available GPSsatellite simulators.

These can be purchased, rented, or stolen.

Not export controlled.

Many are surprisingly user friendly.Little expertise is needed in electronics,computers, rf, or GPS to use them.

Spoofing GPS Civilian Receivers

GPS SatelliteTracking Information Sent to HQ (perhaps encrypted/authenticated)

GPSSignal

(vulnerable here)

GPS is great fornavigation, but itdoes not providesecurity.

GPS Cargo Tracking

• Many international networks (computer, utility,financial, & telecommunications) get their critical timesynchronization signals from GPS. They are somewhatprepared for jamming, but not for spoofing, which is easyand could cause them to crash.

• The alternate time standard (NIST atomic clock) isalso not authenticated or encrypted.

Time Vulnerabilities

Time flies like the wind. Fruit flies like a banana. -- Groucho Marx (1890-1977)

10

Look (in hardware or software) for artificialcharacteristics of GPS satellite simulator signals (orpre-recorded real GPS signals):

wrong time suspiciously low noise excessive signal strength artificial spacing of signals no time variation in signal strength all satellites have the same signal strength do a sanity check (e.g., no 10g accelerations)

GPS Spoofing Countermeasures

The scientific theory I like best is that the rings ofSaturn are composed entirely of lost airline luggage. -- Mark Russell

Encryption/Data Authentication

• Don’t knee jerk--it’s not a silver bullet• Make sure you can really benefit from it• Pointless if you don’t have good physical security• Devil is in the details• Lots can go wrong• Good design, risk management, documentation, training, & execution is essential• Must be based on adversary & threat• No commercial product removes the hassles• Rushing/laziness/instant gratification leads to failure• Key management & distribution is nasty• Scalability can be tricky

Encryption (v): Securing the communications channelbetween 2 hopelessly unsecured locations.

Don't use proprietary encryption or data authentication. Rely on NIST-validated algorithms & NIST-recognized implementations. (FIPS 140-1 and -2).

See http://www.itl.nist.gov/

Encryption/Data Authentication

Never answer an anonymous letter. -- Yogi Berra

11

MS Word, Excel, PowerPoint, & .rtf Files

There are lots of ways to inadvertently or deliberately sneak out unintended data:

• Emailing files using Outlook automatically turns on Ad Hoc Review (change tracking), though it is often on anyway.• Meta Data• Invisible headers, footers, footnotes, & endnotes• Notes/Comments• Cropped images• Images or text fields outside viewable area• Drawing Objects that look like images but have grouped, hidden data• Embedded objects• White text on white background• ”Alternate text" field for web posting• Tables of height zero aren’t visible• Pasting a Chart also pastes the spreadsheet data, not just the graphic!

Partial Solutions

• See www.docdet.com

• Start each document out as fresh blank document, rather than starting from a pre-existing document

• Turn off Ad Hoc Review

• Use “Paste Special” not “Paste”

• Rigorous review of each document.

• Not solutions: text searches, commercial Meta Data cleaners

MS Word, Excel, PowerPoint, & .rtf Files

There are lots of ways to inadvertently or deliberately sneak out unintended data:

• Meta Data

• Orphan objects that don't show up

• Embedded comments

• Redacted (blacked out) data that isn’t really redacted

• Key stroke tracker option that’s easy to inadvertently turn on

Adobe Acrobat (.pdf) Files

12

Partial Solutions

• Sanitize and redact documents before porting to .pdf form, instead of editing the pdf files

• See www.docdet.com

Adobe Acrobat (.pdf) Files

There are no differences but differences of degree between different degrees of difference and no difference. -- William James, (1842-1910) inspiration under nitrous oxide intoxication

Warnings

Don’t be over-confident about biometrics orthe difficulty of counterfeiting security

devices!

Confidence is that feeling you have beforeyou fully understand the situation. -- Anonymous

Warning: Tampering

Most (all?) access control systemsare easy to tamper with:

• software• hardware• database• power source• microprocessor• communications• backdoor attacks• door lock or turnstile

13

• Guards supervising access control systems can usually be distracted.

• Guards need to know what an attack on the AC system looks like.

Warning: Access Control Oversight

As a rule, we perceive what we expect to perceive.The unexpected is usually not perceived at all. -- Peter Drucker (1909-2006)

• Counterfeiting security devices: Usually easierthan developers, vendors & manufacturers

claim.

• Often overlooked: The bad guys usually only needed to counterfeit the superficial appearance and maybe the apparent performance. Much easier than true counterfeiting.*

Sincerity is everything. If you can fake that,you’ve got it made. -- Comedian George Burns (1985-1996)

Fake Counterfeits

Is it really your access control device?* Or is it asubstitute (or a tampered version) that acceptseverybody--maybe with occasion random falserejects to seem realistic?

Check (at random & unpredictable times,

using unpredictable personnel) that your ACdevice actually rejects unauthorized people!

Warning: Counterfeit Devices

14

Biometrics have a great future, but …

• Most are relatively easy* to counterfeit, despiteclaims by manufacturers & vendors to the contrary.

• Spoofing biometric access control devices is usuallyeasy (without having to counterfeit the biometric).

Biometrics

I was the kid next door’s imaginary friend. -- Emo Philips

If N = the number of bits in the biometric signature,

then 2-N is NOT:*

• the probability of two people having the samesignature

• the Type 2 (false accept) error rate

Biometrics Statistics

Watch out for bogus statistics &

phony performance specs!

We train dogs. We educate and motivate people.

Promote, sell, & motivate good security by employees,contractors, and vendors.

Use examples. Show people how to do things, don’ttell them what not to do.

Avoid the negative terms*: Don’t! Never! No!

What’s in it for me?

Security Awareness “Training”

15

Make connections to personal security: home computersecurity, burglary, identity theft, etc.

Refer to news stories about security breaches in other organizations and the consequences.

Have metrics for effectiveness

Be entertaining & positive, not threatening & boring.

Security Awareness “Training”

The hard part about being a bartender isfiguring out who is drunk and who is just stupid. -- Richard Braunstein

Use people-oriented instructors, not bureaucrats,technocrats, burnouts, zombies, & dead wood.

Less is more. Stick with the most important risks.

Security Awareness posters should offer helpful security tips & solutions, not platitudes, mindlessness,insults, & threats.

Train employees, contractors, vendors, managers,& security personnel on phishing, spear-phishing*,social engineering**, impersonation, misdirection,sleight of hand, & dangers of unauthorized software.

Security Awareness “Training”

You can go anywhere if you lookserious and carry a clipboard. -- Anonymous

Don’t ignore, underestimate, under-report the insider threat (as most organizations do).

Big Error: thinking the Insiders in Insider Threat are onlyyour employees. Don't forget about contractors, out- sourcing, consultants, legal and public relations advisors, banks & investors, vendors, etc.

Careless insiders vs. malicious insiders: We need to recognize they are different and require different countermeasures. The former are more numerous.

Insider Threat

16

Treat everybody well, especially ex-employees & retirees.

Have a complaint resolution process that is widely viewed as fair & effective (for contractors, too.)*

Try to restrain HR tyranny & evil.

Have an anonymous security hot line for concerns.

Insider Threat

You can get more with a kind word and a gunthan you can with a kind word alone. -- Al Capone (1899-1947)

Manage expectations. Most insider disgruntlement involves unmet expectations. (Technical people often have very high expectations.)

There are usually behavioral precursors to insider attacks by disgruntled insiders. Sudden change is mostindicative: drugs/alcohol, aggression/hostility, can’t getalong with coworkers, performance drops, late for workor no show.

Employee arrogance, feeling above the rules, needingto be special are often precursors to an insider attack.

In my opinion, we don’t devote nearly enoughscientific research to finding a cure for jerks. -- Calvin from Calvin & Hobbes

Insider Threat

Do background checks including 5-year reviews.

Have NDAs for contractors, vendors, & consultants.

If you fire somebody or they terminate, they are gone.

Watch for employees who suspect they are soon tobe gone.

Remove access not just for employees & contractorsleaving, but for those changing assignments & gettingpromotions. Train managers and rehearse.

Insider Threat

17

Cyber, IP, & Information Security

Watch out for “spear-phishing”*, especially with IT security

Copy machines and faxes should be in open, publicly viewable areas.

Worry about printed hard copies left on faxes, copiers, and printers.

Copy several sheets after faxing, copying, or printing sensitive material.

When all candles bee out,all cats be grey. -- John Heywood, ~1565.

Cyber, IP, & Information Security

www.securitymetrics.org

http://www.cert.org/insider_threat

There’s no Cyber, IP, or Information Security without Physical Security.

Old Paradigm for IT security: Secure the network,keep information isolated, concentrate on protecting hardware & software. New Paradigm:Secure data, enable secure data sharing, concentrate on protecting information, with people, not technology, being the most powerful tool.

Vendors & Manufacturers

Do discuss the vulnerabilities of your competitors’products and what you do differently.

Have a crummy, low-security product line.*

Don’t write lousy manuals, which…• don’t match actual design

• offer no examples

• provide no descriptions of what attacks look like

• have no discussion of countermeasures

Who were the beta testers for PreparationsA through G? -- Bumper Sticker

18

Customers

Don’t buy based on hearsay, gossip, and innuendo.

The unit prices is rarely the most important economic factor, much less security factor.

The more expensive products or services are often no better.

Never ask a barber if you need a haircut. -- Anonymous

Vulnerability Assessments

Involve “hacker” types in vulnerability assessments even if not involved with security.Hacker attributes: skepticism, arrogance, creativity, need todemonstrate cleverness, need to be special, good at findingloop-holes, questioners of authority, hands on types, wise guys.

Never have faith in your own security assessments, or your own security products.

Do Adversarial Vulnerability Assessments earlyand often.

MetacognitionFrom now on, I’ll connect the dots my own way. -- Calvin from Calvin & Hobbes

“I think the worst problem was the way the security was set up for this particularproject. The people who set it up were actually trying to be very conscious ofsecurity, but they didn't make a plan that addressed all the potential risks.” -- Testimony to Congress after a serious security incident

"While serious, the incident in question was the result of human error, not afailure of security systems. We have a robust system in place to report andinvestigate potential violations. In my opinion, this is a circumstance wherethose systems worked well." -- Official government agency statement after a serious security incident

Vulnerability Assessments

19

Warning: Multiple Layers of Security(“Security in Depth”)

Multiple layers of bad security do not equal good security.

Some layers are not backups for others.(Example: tamper-indicating seals & fences.)

Leads to complacency & sends the message that securityis a half-baked activity.

Tends to be a cop-out to avoid improving any 1 layer.

Usually means the insider threat hasn’t been considered.

Some layers may not counter the insider threat.(Example: fences.)

Security is only as good as the weakest link. -- old adage

Security Officer Turnover

• High turnover is more than a financial problem,it is a security vulnerability

• Guard force turnover is among the highest of any job today

• What can be done?

• Job analysis and competency modeling

• Pre-hire strategies

• Post-hire strategies

Security Officer Turnover

• Pre-hire strategies include:

• Realistic job previews

• Personality and integrity testing

• Bio-data

• Post-hire strategies include:

• Treating employees well and paying well

• Organizational Socialization/Orientation

• Effective supervisors and managers

20

Security Culture

• Security culture is the WHAT in terms of security within the organization

• Basic assumptions

• Values

• Artifacts

• People make sense of their environment andwhat is expected of them through culture

Security Culture

• Basic assumptions• What are the organization’s assumptions regarding security?

• Where do they come from?

• How are they communicated?

• Values• What are the organization’s values regarding security?

• Are the values both espoused and enacted?

• Are they clear to all employees?

• Artifacts• What artifacts are important?

• Do the artifacts reinforce the assumptions and values?

• How will changing artifacts impact the organization’s climate?

Security Climate

• Security climate is what employees perceivethe organization to be in terms of security

• Management Support

• Co-worker Support

• Policies and procedures

• People behave based upon their perception ofreality, regardless of whether that perception iscorrect

21

Security Climate

• Management support• Is appropriate behavior modeled?• Are the necessary resources provided?• Is their pressure to cut corners?• Is there collusion?

• Co-worker support• What are the group norms?• Where (and who) do they come from?• Can they be altered if necessary? How?

• Policies and procedures• Is training adequate?• Do the policies and procedures make sense?• How can employee commitment be enhanced?

Don’t treat data or cargo at rest as the same as dataor cargo in motion.

Don’t mindlessly ban new technology that people want to use because of security reasons. Try to intelligently accommodate it.

Truly randomize combination locks when you lock them up.

Good security usually has little to do with being in compliance with rules & regulations, or with keeping auditors & superiors happy. Sometimes it’s anti- correlated.

Organizational Security

Be business oriented first, security second.

Common sense and true security trumps security rules.

But, if it's really a security rule, enforce it. If, however, it makes no sense or there is a better way, get rid of it

or change it.

Don’t bend business practices to fit technology. The other way around.

Organizational Security

22

Error: Security rules without justification, and withoutthinking about their effect on productivity and morale.

Avoid security rules that only the good guys follow.

Focus on: people, process, and technology in that order.

Chat up employees, contractors, & vendors.

Organizational Security

Reward good security, don’t scapegoat bad security.

Don’t rely on “security by obscurity”, or falsely promise customers secrecy.

Don’t assume adversaries will have trouble obtaining your product or reverse engineering it,because they won’t.

Which of your people will be targeted and for what?

Organizational Security

Have your own organization's classification scheme: public, proprietary, secret. Identify the ~1% most important info. Don't under or over classify. Don’t protect everything equally = protecting nothing.

Use RBAC - role-based access control

Be careful with ROI for seeking security funding.* Loss Prevention & Avoiding Damage to the Organization

may be a better way to sell security to senior managers.

Organizational Security

23

Security cannot just be about protecting physical assets.* 80% of the value of U.S. companies is now intellectual property, vs. 20% in 1970.

Adversaries often conduct espionage via:

- bogus job interviews- phony trade journal interviews- hanging out at nearby restaurants/bars

- newsletters & the graphics department- impersonation- targeting foreign national employees

Organizational Security

Reading List

2 books not about security that are really about security:

Carol Travis & Elliot Aronson, Mistakes Were Made (But Not by Me) (2007).

Thomas L. Friedman, The World is Flat (2006).

Good Security Books:

William L. Simon, The Art of Intrusion (2005).

Frank W. Abagnale, The Art of the Steal (2002).

You can request relatedpapers and reports at

rogerj@lanl.govup to October 4

(rogerj@anl.gov after that)

Vulnerability Assessment Team

http://pearl1.lanl.gov/external/c-adi/seals/index.shtml

Dr. Peter Chen, Dr. Roger Johnston, CPP, Michael Timmons,Anthony Garcia, Eddie Bitzer, M.A., Ron Martinez,

Leon Lopez, Lance Griego, Dr. Jon Warner, Sonia Trujillo

If you look for truth, you may findcomfort in the end; if you look forcomfort you will get neither truth norcomfort…only soft soap and wishfulthinking to begin, and in the end,despair. -- C.S. Lewis (1898-1963)

24

Infinity Maxim: There are an unlimited number of security vulnerabilities for a given security device, system, or program, most of which will never be discovered (by the good guys or bad guys).

Arrogance Maxim: The ease of defeating a security device or system is proportional to how confident/arrogant the designer, manufacturer, or user is about it, and to how often they use words like “impossible” or “tamper-proof”.

Ignorance is Bliss Maxim: The confidence that people have in security is inversely proportional to how much they know about it.

Security Maxims

Be Afraid, Be Very Afraid Maxim: If you’re not running scared, you have bad security or a bad security product.

High-Tech Maxim: The amount of careful thinking that has gone into a given security device, system, or program is inversely proportional to the amount of high-technology it uses.

Schneier’s Maxim: The more excited people are about a given security technology, the less they understand (1) that technology and (2) their own security problems.

Low-Tech Maxim: Low-tech attacks work (even against high-tech devices and systems).

Security Maxims

Father Knows Best Maxim: The amount that (non-security)senior managers in any organization know about security is inversely proportional to (1) how easy they think security is, and (2) how much they will micro-manage security andinvent arbitrary rules.

Huh Maxim: When a (non-security) senior manager, bureaucrat, or government official talks publicly about security, he or she will usually say something stupid, unrealistic, and/ornaïve.

Voltaire’s Maxim: The problem with common sense is thatit is not all that common.

Security Maxims

25

Yipee Maxim: There are effective, simple, & low-cost countermeasures (at least partial countermeasures) to most security vulnerabilities.

Arg Maxim: But users, manufacturers, managers, and bureaucrats will be reluctant to implement them, often for reasons of inertia, bureaucracy, pride, fear, wishful thinking, or cognitivedissonance.

Bob Knows a Guy Maxim: Most security products and services will be chosen by the end-user based on purchase price plus hype, rumor, innuendo, hearsay, and gossip.

Security Maxims

I Just Work Here Maxim: No salesperson, engineer, or executive of a company that sells physical security products or services is prepared to answer a significant question about vulnerabilities, and few potential customers will ever ask them one.

Double Edge Sword Maxim: Within a few months of its availability, new technology helps the bad guys at least as much as it helps the good guys.

Familiarity Maxim: Any security technology becomes more vulnerable to attacks when it becomes more widely used, and when it has been used for a longer period of time.

Security Maxims

Antique Maxim: A security device, system, or program is most vulnerable near the end of its life.

Payoff Maxim: The more money that can be made from defeating a technology, the more attacks, attackers, and hackers will appear.

I Hate You Maxim 1: The more a given technology is despised or distrusted, the more attacks, attackers, and hackers will appear.

I Hate You Maxim 2: The more a given technology causes hassles or annoys security personnel, the less effective it will be.

Security Maxims

26

Shannon’s (Kerckhoffs’) Maxim: The adversaries know and understand the security hardware and strategies being employed.

Corollary to Shannon’s Maxim: Thus, “Security by Obscurity”, i.e., security based on keeping long-term secrets, is not a good idea.

Gossip Maxim: People and organizations can’t keep secrets.

Plug into the Formula Maxim: Engineers don’t understand security. They think nature is the adversary, not people.They tend to work in solution space, not problem space.

Security Maxims

Rohrbach’s Maxim: No security device, system, or program will ever be used properly (the way it was designed) all the time.

Rohrbach Was An Optimist Maxim: Few security devices, systems, or programs will ever be used properly.

Insider Risk Maxim: Most organizations will ignored or seriously underestimate the threat from insiders.

We Have Met the Enemy and He is Us Maxim: The insider threat from careless or complacent employees & contractors exceeds the threat from malicious insiders (though the latter isnot negligible.)

Security Maxims

Troublemaker Maxim: The probability that a security professional has been marginalized by his or her organization isproportional to his/her skill, creativity, knowledge, competence, and eagerness to provide effective security.

Throw the Bums Out Maxim: An organization that fires high- level security managers when there is a major security incident,or severely disciplines or fires low-level security personnel whenthere is a minor incident, will never have good security.

Feynman Maxim: An organization will fear and despise loyal vulnerability assessors and others who point out vulnerabilitiesor suggest security changes more than malicious adversaries.

Security Maxims

27

Backwards Maxim: Most people will assume everything is secure until provided strong evidence to the contrary--exactlybackwards from a reasonable approach.

You Could’ve Knocked Me Over with a Feather Maxim 1:Security managers, manufacturers, and vendors will always beamazed at how easily their security products or programs canbe defeated.

You Could’ve Knocked Me Over with a Feather Maxim 2:Having been amazed once, security managers, manufacturers, and vendors will be equally amazed the next time around.

Security Maxims