How dumb people approach bank clerks

Technology makes you blind

McK: Mr. Schneier, do people apply different standards to the security of computer systems than when it comes to their own physical integrity out on the street?

Bruce Schneier: We are very familiar with the real world around us, and we have instincts about how things work. Technology - regardless of whether it is about airplanes or the network - tarnishes this intuitive perception and influences our reaction to risks. Most people, at least in the United States, have a high degree of technology belief. They think technology gives them security. If you just buy the right computer system and put the appropriate amount of security programs on top, they believe that the computers are secured as if by magic. A recent example is the false hopes people have in facial scanners and computerized passenger profiles in air travel. There, too, there is a misconception that a sufficiently large technical installation will solve all problems. That sounds very tempting, but of course it's not true.

So should we generally act with more caution - on the street as well as on the screen?

The same critical thinking as in everyday life should also be the guideline for IT security. We should always approach the topic of security with the same skepticism, think of the advantages and disadvantages and which measures make sense at what price.

Has fear of terrorist attacks changed awareness of risks and threats?

At the moment many people consider terrorism to be the only, or shall we say: the greatest risk. Such concentration is always dangerous because we become blind to the consequences. Take the enhanced powers now granted to US law enforcement agencies under the Patriot Act. Many of the security precautions against police abuse that had been in place over decades have been weakened because people are staring at just one danger. Security, including online, is always about a balance.

In the area of ​​electronic security, horror scenarios are also often sketched out in which cyber terrorists open dams or cause a nationwide power outage.

The fear of cyber terrorism is largely a result of the media scare tactics. And then the same thing happens as just described: We overestimate this risk by far, while we neglect the really serious problem - namely the less spectacular electronic crimes.

Her new book is called “Beyond Fear”. How does a company get there by installing more security and hiring experts like you?

Fear is always just the motivation to do something. What is important is that we examine this question on a rational basis. Then you can still decide whether to buy more technology or not. But that is only possible as long as you ask security questions without irrational fear. In the end, it is less about which precautions I take, it is more about how I organize the process of reflection and decision-making in the most sensible way.

In addition to risk awareness, what principles should be incorporated into the design of a security system?

As a successful, intelligent species, human beings actually have a very good basis due to our instinct. We are, if you will, automatically good risk managers - unless we are blinded by too much technology.
It doesn't really matter how good a security measure is, but whether it is worth it. For example, hardly anyone wears bulletproof vests in everyday life, and not because they don't work, but because we decide that they are not worth the effort. There are several ways to measure costs: inconvenience, money, time, personal freedom, mobility.

How does a company or an IT manager know which security measures are worthwhile and which are not?

Because technology clouds the senses, I always recommend five questions to keep all relevant points in mind. By the way, they apply not only to the decision whether to buy Windows or install a firewall, but also to whether I walk down a street at night. Question 1: What are the goods or values ​​that I want to protect? In many cases this is more difficult to answer than you might think. 2: What are the risks and who are the opponents? 3: How effectively does the existing or planned security measure work? 4: What other risks and dangers does it entail? New dangers always arise, but they should always be smaller than the actual risks. 5: How high are the total costs and how high are the inevitable opportunity costs - for example, due to the difficult access of your own employees to the company network?

For example, how should a company answer question 3? Often you don't know whether IT security really works until it's too late.

Then you just have to feel your way on unsafe terrain. This problem arises in every decision-making process: people always expect a solitary answer. But there is no magical technical solution. Life is risk! Sometimes there are just no answers to these questions, sometimes we just don't know them yet. But you shouldn't let yourself be paralyzed or ask the questions in the first place. You have to weigh the uncertainties and still make a decision.

How important are the people who conduct a risk analysis and decide for or against a security system?

Another reason why it is so difficult to take good security precautions is that there are a lot of different parties involved, each with their own perception and risk tolerance. They have their own agenda and influence, and so do the potential attackers. Every security system is based on a security policy that has to be determined by someone. That is why security measures are never neutral: they shift power and influence from one party to another.

Managers in a company often do not pull in the same direction. The network experts want different security measures than sales or customer service ...

Exactly. Each party has other issues on the agenda in addition to security, and often other issues and priorities prevail at the expense of security. Some measures or protective precautions only give us the feeling of security - that's what I call security theater. This includes, for example, the assumption of most people that calls on cell phones are safe thanks to digital technology. Not true, but even such a security theater is not completely useless, because it scares off stupid and lazy attackers.

What are the most common mistakes companies make when it comes to designing and operating an IT security system?

Companies underestimate the dangers posed by insiders, i.e. employees, and they overestimate the value of their technology. They believe: We have a firewall, so nothing can happen to us. In addition, most of them ignore change. However, safety technology continues to develop, as do new risks. Worse still, new applications will soon emerge for every new technology. What was initially a good security measure loses its effect if the system is suddenly used differently.

Can you explain that in a little more detail?

Take a payment system that was designed to handle small amounts and suddenly thousands of dollars flow through it. The security precautions may have been sensible and sufficient for smaller sums. But now there are big gaps - and nobody takes another look at the system. Such mistakes happen all the time. You have a system in place and it is convenient to simply expand your function.

So the key to good security lies less in the right technology than in the people who design, install, maintain and operate it.

Sure, security always revolves around people, technology is just the dumb servant. Take firewalls. Most of them just don't work. And not because they are technically bad, but because they were installed incorrectly. Or networks where the administrators do not install updates and patches. Lack of maintenance leads to enormous security holes. The list can be made as long as you want, and the mistakes always revolve around the human factor. Compared to this, the technical problems are relatively easy to solve.

Doesn't the fundamental question of how to make its use as simple as possible for authorized users and as complicated as possible for attackers arise with every system?

Security precautions that only focus on the few bad guys usually don't work very well. If an ATM was only about defense, most people wouldn't be able to use it. It should never be forgotten that most of our society obey the law. The legitimate users are the driving force behind a well-designed system - they determine how it works.
Let's take the example of firewalls again. One of the main reasons they are so poorly installed is because of the frustration of the legitimate users. The firewall blocks their work so much that at some point the system administrator gives in and facilitates access. This is satisfactory to the users - but it is no longer a particularly good security solution.

You have to be able to trust people who deal with technology and safety. Which risks does a company have to weigh up?

Confidence is the hardest part of the equation. However, there are a number of security measures to regulate and control trust. First of all, it is important to determine the trustworthiness of people before entrusting secrets to them. Restricting authority is another tried and tested method: neither should you give your employees the master key for the company, nor should you give them the master password for the company network. The third important component is redundancy. It takes two or more people to do or authorize certain things.
To come back to the example of the ATM: there are people who fill those machines with money, others who maintain them, you need bank employees who have access and the drivers of money transporters. When it comes to the people who have access to an IT system, one has to think of a large group that goes far beyond the narrow core of the company. Los Angeles International Airport, for example, employs 59,000 people. And they all have to be trustworthy to varying degrees.

The control functions should therefore best be laid out in concentric or overlapping circles.

Defense lives from the staggered depth. One should never rely on just one protective device. When you have multiple layers there is always a second barrier. Redundancy is part of this strategy. That is why we make backups of computer data. This is a highly effective security measure ...

... when the emergency has occurred.

Yes, but post facto security measures are not wrong. On the contrary: You can spend a lot of money on prevention, but backups are often a much cheaper alternative. And they work. Nature clearly shows us that. For a human life, a backup is the worst possible security measure. A lobster, on the other hand, lays up to 35,000 eggs - redundancy is an excellent security strategy for the lobster species. Either you have many offspring and you are hoping that a few will survive, or you have few offspring and invest a lot of time and energy in survival.

What do you pay attention to in a company when you evaluate or create a new security system?

I look at the motivation of the security officers. Pay is pretty similar in IT, so corporate culture matters to me. How does the organization treat people who are concerned with safety? In many companies they are unfortunately seen as a problem - as the ones that are constantly annoying or only come when something goes wrong. A company with a good security system shows its appreciation for security personnel. When an IT professional enjoys his work and is treated well by his colleagues, he will do a significantly better job than if he is ignored or marginalized.

Common sense suggests that any security system should be a mix of prevention and response. The reality is often different.

That brings us back to the most common mistakes in companies. It is a common, bad mistake in IT to believe that prevention is enough. You always have to consider all three components: safeguards, monitoring and response. Most companies fall for their own talk of good prevention, install a system and neglect control and quick action when loopholes or attacks occur.

Modern IT systems are becoming more and more complex. Computer networks are global affairs that teleworkers, suppliers and customers can log into, more and more wirelessly. Is this technical innovation carousel more beneficial for the attackers or for the defenders?

With the electronic arms race going on right now, I'm afraid the bad guys are ahead of the game. Simply because technical progress creates so many new security holes that have to be constantly plugged. That's why I keep preaching: Folks, don't have this dangerous misconception that great technology can resolve security concerns!

So successful attacks and failures are inevitable in the long run.

That is the price paid for the growing complexity of systems that are all interwoven. This network of interactions creates new properties with unintended consequences. In a sense, all security margins are the result of such unplanned system properties. Security precautions usually fail at the interfaces between two systems or two system parts, because attackers concentrate on these weak points: the forgotten back entrances, the five minutes in which the guard is on the other side of the building, the unprotected private laptop that is used someone logs into the corporate network wirelessly.

What different types of system failure are there and how can you protect yourself against it?

There are basically two types of system failure: active and passive. If a security structure kneels before an attack, it is passive failure. However, a system can also sound a false alarm if there is no attack at all. For example, if a facial scanner at an airport mistakenly believes it has identified a terrorist, it is called active failure. In most organizations, active errors are far more common than passive ones. The active bugs are also the more important ones. You determine whether or not a system is implemented - which will not happen if it raises false alarms more often than thwarting an actual attack. As a planner, you should therefore always be prepared for active and passive failure. And: No matter how well designed my security system is, it will fail.

It doesn't always have to be catastrophic ...

That's right, then one speaks of certain failure - that is, a limited breakdown. The system shuts down or seals itself off. Similar to a car that breaks down and as a result does not immediately catch fire or rush into the ditch, but slows down and stops. Then redundancy measures such as backups take effect. A systems engineer spends a lot of his time with precisely this question: How do I ensure that a system fails as safely as possible?

No manager likes to think about the inevitability of a system failure. Do you get a hearing for your dark scenarios?

It has become a little easier to sharpen your interlocutors' senses for the real threats, but too many people are still too tech-savvy. Then there are geographical differences in terms of the price companies are willing to pay for security. In Japan in particular, this island mentality still prevails, which assumes that security attacks mainly occur in Europe and America. Even in southern European countries such as Spain, Portugal and Italy, the value of security systems is placed lower - even at banks. Of course, security has long been a global problem.