Bruce Schneier, renowned cryptographer and CTO of Counterpane Internet Security, is a security thought leader with several books to his name, including the cryptographer's bible, Applied Cryptography, and the best-selling primer on infosecurity, Secrets & Lies.
Following Sept. 11, Schneier searched for appropriate ways to describe rational security concepts. Surprisingly, he found himself using terms and paradigms developed by the infosecurity community to describe universal risk assessment and management. His latest book, Beyond Fear, is his attempt to explain how security--from home and personal safety to counterterrorism--works in the real world.
Q: In Beyond Fear, you write about security trade-offs, in which the desire for security means sacrificing something. How do trade-offs help or hinder an enterprise?
A: You can have as much security as you want, as long as you're willing to accept the trade-offs. Shortly after 9/11, a reporter asked me: "How can we prevent this from happening ever again?" "Easy," I replied. "Simply ground all the aircraft." It's a ridiculous notion, but we could ensure that the attack could never be repeated if we're willing to accept the trade-off. And even a trade-off as extreme as that was implemented following the terrorist attacks; we grounded all the aircraft for a few days. In computer security, we see trade-offs like this all the time.
At Counterpane, we perform managed security monitoring for enterprise networks, and the trade-offs our customers are willing to accept vary greatly. The CSO of one large e-commerce site we monitor said, "I don't care if the devil himself is inside our network, we will not shut it down." Why? This company's Web site is its revenue stream, and shutting it down is too great a trade-off for increased security. On the other hand, there's a law firm we monitor that will shut down at the slightest hint of trouble. To them, the trade-off is much less onerous.
There are other trade-offs. Security costs money, and it makes no sense to spend more money increasing security than the losses would be if you didn't bother. Security costs functionality. Amazon, for example, is perfectly happy to process your credit card transaction even if you don't use SSL; for them, the trade-off for higher security isn't worth it. Many network admins don't install security patches because they don't want to risk breaking the network. And security can cost privacy, liberty, time, etc.
You outline a five-step process for assessing risk and assigning protections: determining assets, determining threats, determining available mitigations, risks/problems associated with security solutions and trade-offs. Why are these steps important, and how can they be applied from individuals to large enterprises?
The five-step process formalizes the analysis, taking something people do intuitively and making it explicit. The contribution of a simple conceptual framework like this is primarily social: If many people are framing their analysis and thinking in the same way, and with the same conceptual vocabulary, then it makes collective learning easier. It's one thing to argue about whether a particular security countermeasure is a good idea; but if you're both using the same framework, you can zero in on specific points of contention. In Beyond Fear, I repeatedly use this analysis, applying it from individual security decisions to national security decisions. The simplicity of the framework is what makes it useful.
Do you think appropriate risk assessment and risk mitigation is missing in enterprise environments?
Companies do risk assessment and mitigation naturally. Business is risk, and smart businesses manage risks well, whether they're the risks of doing business in a foreign country, the risks of having a warehouse filled with excess inventory or the risks of a computer virus shutting down the network.
As far as the CEO is concerned, network security risk is minimal. Even worms like SQL Slammer and Lovsan didn't faze CEOs, because they have more important problems and spending priorities. This attitude completely flummoxes the engineer in charge of computer security, who sees numerous threats and the need for money to counter those threats. The engineer isn't thinking in terms of risk management, but instead thinking of threat avoidance--he can't see the big picture.
This is why the person in charge of security should never be allowed to determine his own budget. A company could spend $1 million on improving its network security, $1 million on hiring more salespeople or $1 million on a new marketing campaign. All of those are good ideas, but there isn't enough money to do them all. There has to be a senior executive to weigh the trade-offs and make the final budgetary decisions.
Hackers, internal malcontents, terrorists and bad guys in general, you say, don't change their tunes, just their tactics. Are enterprises prepared for the next wave of attacks, or are they too focused on the attacks of yesterday?
Everyone focuses on the attacks of yesterday. If you don't believe me, take a look at airline security; we're still defending against what happened two years ago. I don't believe we're prepared for the next wave of terrorist attacks, simply because we can't comprehend what they will be. But this isn't as big a problem as it might seem. Only the rare attacker is innovative. Most attackers are copycats; they do the same thing previous attackers did. By focusing on the attacks of yesterday, we focus on the most common attacks of today. We're always going to miss the new and innovative attacks of tomorrow, and I don't think we can ever overcome that.
Every day, we hear about new risks and threats--a new Cisco router vulnerability, a critical flaw in Windows, hackers extorting money from a bank, and so on. Are these advisories a true reflection of the threats?
Most advisories trade on fear. Most newspaper and magazine articles trade on fear. The facts are generally true, but it's still hype. And hype leads to oversaturation. If there's a horrible vulnerability every week, people start ignoring the problems. Every time a new vulnerability comes out, we need to ask ourselves: "Is this worth pestering our customers?" Too many security companies are crying wolf far too often, and it hurts us all.
What do you think is the next threat we must guard against?
The next threat is the last threat: people. People are always the weakest security link. Whether it's a guard being bribed to leave a door open or an unsuspecting employee opening an attachment that turns out to be a virus, people are the most difficult security problem. They'll forever bypass security they find intrusive, subvert security they find bothersome, and attack the very systems they're supposed to be guarding.
On computer networks, insider attacks are much more dangerous than outside hackers. User mistakes are much more damaging than malicious code. It's a problem as old as civilization, and it's not one that computers can magically solve.
Lawrence M. Walsh is managing editor of Information Security.