IT security: Maxims for the ages

Roger G. Johnston leads the vulnerability assessment team (VAT) of the Argonne National Laboratory's Nuclear Engineering Division.

The team is tasked with conducting research on physical security devices, systems, and programs:

"The VAT has worked extensively in the areas of product anti-counterfeiting, tamper and intrusion detection, cargo security, nuclear safeguards, and the human factors associated with security using the tools of industrial and organizational psychology."

Problems resurface
Through his tenure at Los Alamos and Argonne, Johnston has accrued considerable experience finding and resolving security issues. In so doing, he realized something:

"Being a vulnerability assessor for physical security makes one pretty cynical. Or maybe you need to be cynical to see security problems. Or maybe both are true. Anyway, these maxims were developed partially out of frustration at seeing the same kinds of problems over and over again."

Johnston's quest
So, Johnston created his list of security maxims. I personally haven't heard the term "security maxim" before, so I want to make sure we agree to its meaning:

• Maxim: An expression of a general truth or principle. A principle or rule of conduct.

Johnston further qualifies the definition by admitting his security maxims are not theorems or the absolute truth:

"Security maxims are, in our experience, essentially valid 80-90 percent of the time in physical security and nuclear safeguards.

Initially, I didn't realize Johnston's focus was on physical security. Simply because his maxims meld nicely into the world of IT security. That's my opinion at least, let me know if you agree or not.

Favorite security maxims
The following are my choices of the many security maxims that Johnston has accumulated:

• Infinity Maxim: There are an unlimited number of security vulnerabilities for a given security device, system, or program, most of which will never be discovered (by the good guys or bad guys).

Johnston comments:

"We think this, because we always find new vulnerabilities when we look at the same security device, system, or program a second or third time, and because we always find vulnerabilities that others miss, and vice versa."

• Thanks for Nothin' Maxim: A vulnerability assessment that finds no vulnerabilities or only a few is worthless and wrong.
• Arrogance Maxim: The ease of defeating a security device or system is proportional to how confident/arrogant the designer, manufacturer or user is about it, and to how often they use words like "impossible" or "tamper-proof".
• So We're In Agreement Maxim: If you’re happy with your security, so are the bad guys.
• Ignorance is Bliss Maxim: The confidence that people have in security is inversely proportional to how much they know about it.

Johnston's comment:

"Security looks easy if you’ve never taken the time to think carefully about it."

• Weakest-Link Maxim: The efficacy of security is determined more by what is done wrong than by what is done right.

This maxim is true all of the time. Johnston comments:

"Because the bad guys typically attack deliberately and intelligently, not randomly."

The next few infer Johnston's experience with upper management:

• Father Knows Best Maxim: The amount that (non-security) senior managers in any organization know about security is inversely proportional to (1) how easy they think security is, and (2) how much they will micro-manage security and invent arbitrary rules.
• Big-Heads Maxim: The farther up the chain of command a (non-security) manager can be found, the more likely he or she thinks that (1) they understand security and (2) security is easy.
• Huh Maxim: When a (non-security) senior manager, bureaucrat, or government official talks publicly about security, he or she will usually say something stupid, unrealistic, inaccurate and/or naïve.

My personal favorite:

• Voltaire's Maxim: The problem with common sense is that it is not all that common.

The following maxims explain why security issues are slow to be resolved:

• Show-Me Maxim: No serious security vulnerability, including blatantly obvious ones, will be dealt with until there is overwhelming evidence and widespread recognition that adversaries have already catastrophically exploited it. In other words, "significant psychological (or literal) damage is required before any significant security changes will be made".
• Irresponsibility Maxim: It’ll often be considered "irresponsible" to point out security vulnerabilities (including the theoretical possibility that they might exist), but you’ll rarely be called irresponsible for ignoring or covering them up.
• Backwards Maxim: Most people will assume everything is secure until provided strong evidence to the contrary-exactly backwards from a reasonable approach.

Michael Kassner has been involved with with IT for over 30 years. Currently a systems administrator for an international corporation and security consultant with MKassner Net.