Challenging Our Truths: A New Engagement Strategy

Now and again, it’s a good idea for information security experts to pause and examine the “truths” of their religion. Those of us practicing the art of information security are fond of aphorisms like, “Security is a process, not a state.” But we still find ourselves advising that access control is a strong security measure. Two recent scholarly works suggest that it’s not.

A 2009 research paper by Masters students at the Norwegian University of Science and Technology proves by experimentation that the password encryption algorithms in popular operating systems are inherently weak. The most popular operating system in the world, in fact, uses an encyption algorithm that is known to be insecure.

The second item—an article in IEEE Privacy & Security Magazine titled What’s Wrong with Access Control in the Real World?—helps explain the fatal and mostly ignored flaws underlying modern access control regimes. Those flaws include the propensity of users to choose efficiency over security. In researching their article, the authors learned of a “critical control room door that is password-protected—because it needs to be secure—but has the password written on it—because if there’s an emergency, someone would need to gain entry.”

Stories like these reinforce the notion that practitioners tend to favor simple rules and models to explain and rectify security problems. Interestingly, that most popular simplification—security is a process, not a state—hints at current limitations in security architecture and points the way forward to a better approach. If security is a indeed a process, it can be monitored. That's the opinion of NASA CIO Linda Cureton. She recommends that organizations fortify but, more importantly, develop situational awareness and engage in ongoing assessment of their risk landscape. In Ms Cureton's words:

• "Army General Keith Alexander, the nation's first military cyber commander, described situational awareness as simply knowing what hackers are up to. He goes on to say that with real-time situational awareness, we are able to know what is going on in our networks and can take immediate action."
• "Chinese General Sun Tzu said that, 'If you know the enemy and know yourself you need not fear the results of a hundred battles.' It is through an understanding of the state of our specific environment and the particular risks and threats we face where we can take the right actions to produce the results that we need."