[Infowarrior] - Too much security can be overbearing: Microsoft
Richard Forno
rforno at infowarrior.org
Thu Aug 9 02:14:00 UTC 2007
Too much security can be overbearing: Microsoft
* 8th August 2007
http://apcmag.com/6895/war_on_terror_overblown_microsoft
Steve RileySteve RileyTECH.ED | When does too much security become, well,
too much? According to Steve Riley, senior security strategist at Microsoft,
it becomes too much when the cost of mitigating the risk outweighs the cost
of that which you are trying to protect.
Steve's approach to security spans all horizons, not just information
technology. He elaborated on this theory in an afternoon session today at
Microsoft Tech.Ed entitled "Making the Tradeoff: Be Secure or Get Work
Done".
The cost of securing an asset is not simply the absolute cost of purchasing
an enterprise firewall or business-wide malware software, according to
Riley. It's measured against the current cost of leaving things as they are
- if a couple of machines go down every week because of security
vulnerabilities, that is a cost which can be measured and taken into
consideration. However, if the cost is actually less than the cost of
removing the problem, bizarre as it may sound, it might not actually be
worth it.
Steve applied this same train of logic to other, more worldly scenarios.
Child kidnapping for example - apparently American parents are paranoid
about kidnapping, and so forbid their children to talk to strangers. The
result, according to Steve, is a generation which can't ask for help when
the only source of help is a stranger, and a general and unacceptable
reduction in human interaction which is the basis of any civilised society.
He prefers to tell his own kids that "...most adults are kind and honest and
will help you if you need helping. But no adult needs your help to find
their dog." Teach them to recognise the attacks, rather than react
negatively to an imagined fear.
And this goes all the way up to the US's so-called "War on Terror".
According to Steve, are any of us really made safer by taking our shoes off
to go through metal detectors? Surely X-ray scanners which can see right
through people's clothing is an unacceptable breach of privacy? At the very
least, do we want to live in a society where this is the accepted norm?
Regardless of the answer to these questions, go back to his approach with
children and strangers - recognise the methods of attack, rather than focus
on stopping the tools. Why did the September 11 terrorists use planes to
destroy the World Trade Centre? Because it was probably the easiest method
at their disposal. If a terrorist wishes kill people at an airport, all the
security in the world won't stop them from detonating the bomb while waiting
in the security lineup.
These are sobering thoughts, and they do make you take a second look at the
vast amounts of money and effort going into security "measures" which do
much to remove personal liberty and intrude in our daily existence, yet
prove remarkably ineffective at actually stopping anyone determined to
succeed.
There are direct parallels with ordinary, everyday security. For example,
we're always told never to write down our passwords. As Steve put it,
"...it's perfectly OK to write your password down, as long as you protect
the piece of paper".
This particular section of Steve's presentation dealing with the War On
Terror doesn't appear on the US-developed Tech.Ed DVDs -- it was censored
and removed.
James Bannan is reporting from Tech.Ed Australia 2007 as a guest of
Microsoft.
More information about the Infowarrior
mailing list