How great perimeter defenses are hurting you

I have looked for a good example for a real-world security practice that is misconceived and that also applies to information security. Recently I have had a chance to read an opinion article that talks about physical security measures that are put in to protect small populations (read army bases, gated communities, etc…) and how many of the “traditional” security thinking is actually hurting them.
The example that was cited, talked specifically about building fences around such facilities, and their actual and perceived effect.
The real effect of such a “security” fence is very low. These fences can be easily bypassed with very basic skills and tools.
However, the perceived effect of such fences is incredible. On one hand, the protected population sees that there is a fence that goes around the entire perimeter, and immediately think “cool! we are well protected”. They can SEE the perimeter, and it has an immediate effect on how the area is perceived (especially in gated communities).
On the other hand, a much more worrisome element is how such fences affect the way that the security personnel behave. One would think that security professionals understand that fences are no more than a slight delay for an attacker that looks to break into the protected area. Nevertheless, the article talks about how security personnel are actually putting their guard down when assigned to work in fenced areas. It talks about how the perimeter (again – being highly visible and seemingly intimidating) provides some comfort to the guards, and makes them prone to focus on the gates and openings. Whereas guards that were put in duty to protect non-fenced compounds were much more vigilant in identifying tactical areas that would be used to watch the compound, and to attack it. They have been more active in their movements across the protected area, paying attention not only to the access paths used daily, but to all aspects of the area.

Now think about everything that I have discussed above in information security terms. We have been having firewalls blinding our CIOs, IT personnel and purchasing managers. The ability to market a product that specifically opens access paths into the organization so successfully have actually degraded the security posture of most organizations. Think about it – one of the things that come up very early in a conversation about an organization’s security protections will usually be a firewall.
The more problematic aspect here – much like in the physical fence example, is that firewalls make security personnel put their guards down. They fail to be vigilant in identifying access paths, data patterns, and potential pitfalls in the way that the organization keeps, processes and uses its information.
Don’t get me wrong – I’m not a huge “de-perimeterization” fan, but we do need to take note from this way of thinking about security. Everyone is preaching about “layered security”, but keep putting a lot of focus on the perimeter defenses while leaving the internal layers mostly unprotected.

In summary – when you think about how your organization is protected for security breaches, remember the “fence effect”. Remember how people that live in gated communities have a wrong sense of protection, and how guards stationed at checkpoints and gates are usually focused on the opening rather than the fence around them.


Comments

2 responses to “How great perimeter defenses are hurting you”

  1. Hey man
    Well written, highly agree. We live within our own fences of consciousness, and those fences derive in what we perceive as our daily life – AKA our perception. Now how come a fence represents such strong psychological element? because so many of us are being brought up in an environment that is highly efficient in what we do, but almost blind to who we really are, and how we are wired. IMHO the difference between a mouse in a maze in a lab and us humans is not that different, it’s just we like to think it is 🙂

    Look, there are neurological reasons why we comfort in imaginary borders – if you wouldn’t your brain would have been fried out because you would be trying to understand what’s going on. So for most people – just tell them they have an anti-virus they will be as happy and most will not even bother to know if the AV they have is real or fake. But there are who have no ability to “shut down” those constant flow of ideas. That’s a typical description of people with ADHD, who so many of us in the security areas are. The problem is that most organizations don’t really know how to “eat” people like that – the people who can actually see the real threats seems to the organization as … well… too disturbing. So they end up appointing a manager “whom they can work with”. and that’s – almost by definition – someone who think like them – inside the secure fences of self comforted illusion of being secured (or someone who will be willing to tell it if the price is right. I’ve met one or two in my life, and I assume you too…

    And security guards? If you had ADHD, you will go crazy if you will have a fence in front of you the whole day – or to do a monotonic job all day long. So most chances the hired security guards will be people who are … well, let’s call them – people who can stare at a fence the whole day and not go crazy. Sometimes I wish I had that capability, it would have helped a lot on some of the projects I had to go though LOL, but I assume we all have our own dharma…

    PS
    If you already decide to have a obstacle then at least put a wall that actually work, hence the link I enclosed…

    Namaste
    Uri
    Brussels, Belgium
    3rd Rock from the Sun 😉

  2. Davidman Avatar
    Davidman

    Using False Alarms to Disable Security
    Beginning Sunday evening, the robbers intentionally set off the gallery’s alarm system several times without entering the building, according to police.
    The security staffers on duty, who investigated and found no disturbances, subsequently disabled at least one alarm. The burglars then entered through a balcony door.
    http://www.schneier.com/blog/archives/2012/01/using_false_ala.html

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.