I have looked for a good example for a real-world security practice that is misconceived and that also applies to information security. Recently I have had a chance to read an opinion article that talks about physical security measures that are put in to protect small populations (read army bases, gated communities, etc…) and how many of the “traditional” security thinking is actually hurting them.
The example that was cited, talked specifically about building fences around such facilities, and their actual and perceived effect.
The real effect of such a “security” fence is very low. These fences can be easily bypassed with very basic skills and tools.
However, the perceived effect of such fences is incredible. On one hand, the protected population sees that there is a fence that goes around the entire perimeter, and immediately think “cool! we are well protected”. They can SEE the perimeter, and it has an immediate effect on how the area is perceived (especially in gated communities).
On the other hand, a much more worrisome element is how such fences affect the way that the security personnel behave. One would think that security professionals understand that fences are no more than a slight delay for an attacker that looks to break into the protected area. Nevertheless, the article talks about how security personnel are actually putting their guard down when assigned to work in fenced areas. It talks about how the perimeter (again – being highly visible and seemingly intimidating) provides some comfort to the guards, and makes them prone to focus on the gates and openings. Whereas guards that were put in duty to protect non-fenced compounds were much more vigilant in identifying tactical areas that would be used to watch the compound, and to attack it. They have been more active in their movements across the protected area, paying attention not only to the access paths used daily, but to all aspects of the area.
Now think about everything that I have discussed above in information security terms. We have been having firewalls blinding our CIOs, IT personnel and purchasing managers. The ability to market a product that specifically opens access paths into the organization so successfully have actually degraded the security posture of most organizations. Think about it – one of the things that come up very early in a conversation about an organization’s security protections will usually be a firewall.
The more problematic aspect here – much like in the physical fence example, is that firewalls make security personnel put their guards down. They fail to be vigilant in identifying access paths, data patterns, and potential pitfalls in the way that the organization keeps, processes and uses its information.
Don’t get me wrong – I’m not a huge “de-perimeterization” fan, but we do need to take note from this way of thinking about security. Everyone is preaching about “layered security”, but keep putting a lot of focus on the perimeter defenses while leaving the internal layers mostly unprotected.
In summary – when you think about how your organization is protected for security breaches, remember the “fence effect”. Remember how people that live in gated communities have a wrong sense of protection, and how guards stationed at checkpoints and gates are usually focused on the opening rather than the fence around them.