Secure enough theory

Secure enough theory is an interesting security theory that walks you through how to estimate the effort needed to secure your environment. It talks about a concept of secure enough, and how attacks might hit you if you do not do the basics.

I started working as an infrastructure and security specialist. I started learning about security theory and cryptography since 2004, and it was like a dark science to me. I think people should focus on security theories and risk assessments more than to focus on security products themselves. I see many enterprises and government agencies buying security boxes and expensive security solutions just because they have a security budget, and perhaps to give them a false sense of security. People tend to jump into solutions, instead of identifying causes and problems.

I sometimes get asked this question “Do we have a secured network?”. People think that my role is to make things 100% secured, and that if we brought dozens of security products and the latest intrusion detection and prevention devices in addition to deploying smart cards, that we have reached the state of secured network. The answer for all those questions is NO.

Security” is defined as “freedom from risk or danger; safety”. It is obvious that security in computers can never gain this goal. “Computer Security” on the other hand is more “management of risk” as “Secure” means we can stop working because the network is now secure.

So, network security is a process, a task description, not an end state. It is a journey, not a destination. I would like to think of network protection as the goal and network security as a task description.

Let us get back to the question “Is your network secured? “. Well, we cannot answer this question, but instead we are aiming to have “Secure Enough” network though. What does that mean?  One way to look at it is by comparing it to a car alarm. Does a car alarm make it harder to steal a car? No, not really. Does it prevent it? Well, that depends. If you have an alarm but the car next to you does not, it is likely that a thief may just steal the car next to yours (unless he really wants yours).

It is kind of like the old story about a camping trip. Two guys are sing by the fire and one of them asks what they will do if a bear comes. The other guy says, “That’s why I am wearing sneakers“. The first guy asks, “Do you really think you can outrun a bear though?” The second responds, “No, but I don’t need to. I just need to outrun you!” In some cases, it is simply enough to be a more difficult target than someone else.

I hope you got my idea clear now. As long as bad guys are not out to get to you network specifically, if you protect your network sufficiently, it is likely that they will attack a network that is less secure, unless they really want something from you network. So you face two challenges: protecting you network from casual attacker or virus that does not care which network it destroys, and protecting your network from the determined attacker who wants information from you.

However, if you take some fundamental steps, you will have accomplished the former as well as make the job of the determined attacker much harder. This frees you to focus on the part of staying far enough ahead of the determined attacker. In a sense, protection is like a temporal security. It makes sure that you are secured until the bad guys learn enough to break you defenses.

That’s only me. Tell me what you think?