Tag Archives: Bruce Schneier

Detection is much more important than prevention –Bruce Schneier

Reviewing Bruce Schneier’s 2004 book Secrets and Lies, much of which was written in 2000, reminds us of something really basic. You can’t just fix security. Security is a process, most of which is about knowing what’s going on. Detection is more important than prevention. To which I add that for detection we need comparable Internet-wide metrics on security performance so every organization can see what’s going on and will have incentive to do something about it because its customers and competitors can see, too. Sound familiar? That’s what SpamRankings.net is about.

Joe Zack posted in Joezack.com on Bastille Day, 14 July 2013, Secrets and Lies: Nine Years Later,

2. “Detection is much more important than prevention”

Schneier keeps coming back to this point. He had this epiphany in 1999 that “it is fundamentally impossible to prevent attacks” and “preventative countermeasures fail all the time.” Security is “about risk management, that the process of security was paramount, that detection and response was the real way to improve security.” (emphasis mine)

I had formerly thought of security as largely being about prevention. A year ago, if you have asked me about “InfoSec” I might have prattled on about firewalls, injection attacks, encryption and good passwords. That’s still important, but now I know that there’s a lot more to it.

Zack says he thinks Schneier was like Nostradamus for having such insight before NSA PRISM and even before Facebook. Sure, Bruce has always been ahead of his time. But that basic insight was not unique to him, and Continue reading

Current security models broken; need resilience; how about reputation?

Bruce Schneier asserted yesterday that Our Security Models Will Never Work — No Matter What We Do. After detailing why he thinks that (the bad guys can get new techonology faster and have fewer restrictions on using it), he summarized:

As it gets easier for one member of a group to destroy the entire group, and the group size gets larger, the odds of someone in the group doing it approaches certainty. Our global interconnectedness means that our group size encompasses everyone on the planet, and since government hasn’t kept up, we have to worry about the weakest-controlled member of the weakest-controlled country. Is this a fundamental limitation of technological advancement, one that could end civilization? First our fears grip us so strongly that, thinking about the short term, we willingly embrace a police state in a desperate attempt to keep us safe; then, someone goes off and destroys us anyway?

If security won’t work in the end, what is the solution?

Continue reading

Design in Security; Don’t Wait to Defend

56+Northern+States+Barn+doors.JPG Gunnar recommends building in security instead of waiting to catch the horses after they’re out of the barn:
The way out of this is for security to get involved in building better systems, getting involved in the system development, Identity management, and coding. Come to the table with useful tools such as Threat Models and Misuse Cases, and make sure you are there early enough to have an impact. Three places to focus are application development, databases, and identity. Time for security to live in code and config not in Visio drawings.
As Gandhi supposedly said about western civilization: “That would be a good idea!”