I saw a quaint marketing message from a security vendor recently that made a call for “back to basics.” This is a somewhat intriguing piece of advice to give, considering that the basics aren’t really getting the job done these days. In fact, for that matter, security in general seems to be flailing about many a day trying to grope through the darkness for solutions to problems we don’t really seem to understand or define very well. Unfortunately, we’re constantly confronted with a shrillness in sales and marketing pitches that seems to spin us around, pointing us in every direction on the compass, and yet to what end? Context is missing…
Here’s an example of context missing (WARNING: this post/site may not be deemed safe for work due to the use of harsh language). The post rants against the ongoing use of anti-virus software in the enterprise. Does anybody really see AV as a panacea these days? Are we really all living under a delusion of false hope and security? Perhaps “the business” or consumers have such delusions, but we in the security industry have known better for ages.
The point that’s missed, however, is that even if AV only catches, say, 40% of the mundane garbage out there, it’s still better than catching 0%. Moreover, if your organization does not deploy AV and it suffers a breach or productivity loss or data loss as a result of a mundane piece of malware, there will be dire consequences for those who opted not to deploy it. True, we know that 40% does not equal 100% no matter how many ways you look at it, but being reasonable we also have to realize that it’s important to at least filter out the mundane background noise. The same line of thinking applies to firewalls.
Then there’s the story of how the new Apple TouchID interface has been hacked by the Chaos Computer Club. It’s an interesting story, but definitely not one that should result in the mass hand-wringing we’ve heard from some in the security industry. Put into proper context, Apple reportedly is targeting users who don’t apply any security to their devices today (no PIN, password, or pattern). So, in that regard, even if the fingerprint can be faked, the fact that they have /something/ limiting access is better than not having anything at all. And, in fact, for those concerned about the fingerprint being hackable, add a PIN, it’s easy (read about that here).
What I also find interesting about the iPhone TouchID “hack” is this: So you can lift a fingerprint and get it scanned by the device. Great. But… that means you have physical access to both my fingerprints AND the device. Those can be pretty big IFs. I’d be more impressed if they lifted the fingerprint off the case (or cover) of an iPhone and then used it to guess the right fingerprint. So, yes, it can be defeated, but really, so what? Put into a proper risk management context, this is fairly trivial.
Over the past week, I think I’ve had about a half-dozen “public” conversations (such as on Twitter and Facebook) about the missing context. It’s way too easy to freak out about the latest hack/attack and jump off the cliff (so to speak). However, when you put some context around an issue, it is fairly common to realize that what you’re seeing really isn’t a huge crisis, or that there are other compensating controls in place, or that the threat or weakness doesn’t really apply the same way in the given scenario. Take the emotionalism out of these scenarios and level-set with good ol’ context-setting and then let things progress naturally from there. The worse thing we can do for ourselves, our careers, our employers, our society… is to be shrill Chicken Littles.
What do you think? How’s your context-awareness today?