Security Entropy

Security controls inevitably degrade over time as technology changes, criminals modernize their methods, and systems begin to suffer from natural entropy.

Last week I attended a seminar where the database system being designed to host the new national ID card data was discussed. Much emphasis was put around how modern and therefore secure the system was going to be from both an IT and physical security perspective. But it occured to me that by the time the system is fully operational the game will have changed and many of the security controls will likely be either out of date or new ways discovered to get around them. The point being that you can’t simply design your security systems, rubber stamp the work then move on to the next thing and forget all about it.

Frequent and mundane routines are the killer of good security. Well designed change control processes become an inconveniance to be bypassed, operational procedures to ensure that everybody entering the building has a valid pass or is escorted degrade when the security force begin to believe they can recognise normal behaviour without checking, network security fails when the daily audit of the logs becomes an occassional audit because in the last 6 months nothing interesting has happened and you now have better things to do.

It’s worth keeping in mind that it’s the gradual erosion of seemingly minor controls that will eventually lead to the major incident.  Security must be continually reviewed in light of a continually changing environment. 

Join the conversation

2 comments

Send me notifications when other members comment.

Please create a username to comment.

Three things: 1. Isn't it a truism that the defenders are always fighting last years battle? 2. Behind every major incident there are countless near misses. 3. In a low visibility network/application intelligence picture, accounting and audit are now even more important than ever.
Cancel
You're right. With regards to your second point, I had in mind the presentation given at the recent IISP seminar we both attended on the subject of security awareness, where Martin Smith discussed how it's the hundreds of little chickens that will overwhelm and kill you as opposed to the single large crocodile.
Cancel

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close