Superficial Security

By Ben Rothke  |  Posted 2005-02-21 Print this article Print

Too many organizations deploy security technologies because they feel they have to, yet they often leave them so poorly configured that they do more harm than good.

In a new book, "Business Under Fire: How Israeli Companies are Succeeding in the Face of Terror—and What We Can Learn from Them," author Dan Carrison interviewed consultant Danny Halpern, who said, "In Israel, I believe we invest more in the quality of our security people and less in the mechanics. In America, because of the huge numbers, the investment is in the mechanics—the system—and then they hire minimum wage security staff."

This focus on mechanics has brought us the turf wars between the CIA and FBI, elderly women being forced to remove their shoes at airports and other counterterrorism security nonsense.

Similar nonsense—the result of merely going through the motions of physical security—exists in information security. Too many organizations deploy security technologies because they feel they have to, yet they often leave them so poorly configured that they do more harm than good.

Security guru Marcus Ranum made this observation to me about poorly configured firewalls and noted that "eventually, if enough data is going back and forth through your firewall, it is no longer a firewall, its a router!"

Whatever the technologies, from IDS to PKI, organizations have deployed them to keep up with the data security Joneses, rather than from a correctly understood need.

Getting out of the mechanics of information security and into the realm of proactive data defense requires two things.

The first is performing a comprehensive risk assessment. Deploying security products without first performing such an assessment is like taking medication without knowing what disease you have.

Effective risk assessment and analysis ensure that your organization is dealing with real threats. The fact is, the most dangerous threats come from inside, contrary to the widespread perception that they come from the outside. Organizations that build their information security infrastructure to deal with false threats are left with a misleading veneer of protection.

Second, you must ask how a given security product will solve your problem. Hundreds of millions of dollars were wasted on PKI systems because organizations deployed them without understanding what their problem was or what a PKI system could do to solve it.

Too often, organizations go through the mechanics of purchasing and deploying security software and hardware items without knowing why.

They are wasting time and money building, literally, a false sense of security that is often more dangerous to their organizations than no security measures at all.

Ben Rothke is a New York-based security consultant with ThruPoint Inc. and the author of "Computer Security: 20 Things Every Employee Should Know." He can be reached at Free Spectrum is a forum for the IT community and welcomes contributions. Send submissions to

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel