Hardening: Theory and General Practice - The Security Dilemma
(Page 3 of 6 )
Security depends on two things: First, a person must define what security means for them, and second, that person must communicate that idea clearly and competently to the community around him. Security suffers from such a problem these days because of issues related directly to these two requirements. Security for each person is different. Though one person may be satisfied with a BIOS password and a floppy disk, another person might take great pains to double-and triple-encrypt files. She may wish to transfer them only over IPsec-protected links, and purchase trusted Secure Sockets Layer (SSL) certificates for any type of public service she offers. And because the definition, meaning, and intrinsic value of security differs so wildly between parties, it’s difficult to communicate a clear security policy to the user community. Therein lies a critical problem—you can only have effective security when everyone understands the level of security required and when everyone agrees security is necessary. And in practice, as you might imagine, an understanding of security on the part of the user is something that’s usually severely lacking.
The very existence of security resides in trust. In fact, it can be argued that every security problem boils down to the simplest level as a question of trust. The idea of security is introduced for the sole purpose of protecting yourself against parties whom you don’t trust. To do this, usually some kind of technology is put into place to move trust from a risky “zone” to a safer, more palatable area. A great example is a front door lock: You don’t trust the general public, and therefore you’re wary of them stealing your belongings without your knowledge. You install a lock on the front door of your house. You still don’t trust the general public, but you trust the lock to do its job to keep the untrusted people out. You obviously have less of a problem trusting the lock than trusting the intentions of a great number of people to whom you’re unaccustomed. You can’t fully trust the lock either, so you install an alarm system that notifies the police if someone breaks in. You’ve displaced your trust from the public to the police, the alarm system, and the lock.
Each day, you proceed about your business, placing your trust semiconsciously in banks, automated teller machines, online shopping sites, the police, all levels of government, and other various establishments. The list goes on and on. You don’t question this trust, because it’s seldom broken, but that isn’t always the end result. For example, when a child learns to drive a car, he places lives at risk. Because of this risk, most municipalities and governments require the child to pass an exam to demonstrate her mastery of the safe operation of the equipment. Computer systems are equally capable of causing great damage, even though they aren’t sentient. Your life is interrupted when computer systems malfunction, and this indicates an increasing reliance on them. Your trust in computers and their users is often quite misplaced. This is where the problems truly come from.
 This chapter is from Hardening Windows, by Jonathan Hassell (Apress, 2004, ISBN: 1-59059-266-2). Check it out at your favorite bookstore today.
Buy this book now. |
Next: Enemies of Security >>
More Windows Security Articles
More By Jonathan Hassell
