Tuesday, July 19, 2011

Bean counting as a security concept

The security sector has found a new panacea – checklists. On the surface they seem to add security, but in reality they have the opposite effect. A checklist can be easily developed and is meant to be checked off with few – or no – additional thoughts on the content. A real security audit is complex, and checklists offer a false feeling of objectivity and measurability – attributes that are sometimes missed when auditors have individual and detailed questions.

Sadly, such checklists tend to develop a life of their own and become detached from their original purpose. There are many examples of this:

A while ago I got stopped at an airport security checkpoint, because my toothpaste was not displayed in the right kind of plastic bag. A few months before that, I failed at buying a bottle of beer at an American supermarket. I celebrated my 50th birthday a while back, but the employees were unable to discern that I am over 21. When they checked my passport they were thrown off by the unusual – European – notation of my birth date. Using common sense was not part of the checklist.

Recently, the auditors of our laboratory wanted us to supply ID cards for all of our visitors. That makes sense in a big company – for our laboratory it was laughable – we can tell immediately who is a visitor and who is an employee, with or without an ID card.

Now checklists are becoming more common with the people who think about the future of IT security standards like Common Criteria.

I am concerned by this. The motive is honorable, but in my experience, knowledge and experience will be supplanted by counting beans. In the long run that does not create trust – which eventually will weaken the standards.

Of course, we do use checklists at times, as well. We don’t want to forget an important aspect of an audit. Matt Bishop put it very well in one of his talks: The most important thing about a checklist is to know when to ignore it! A checklist is a tool, not an end in itself.

The goal is, and will be, good security. And that is what atsec stands for.

by Gerald Krummeck

P.S. Gerald also presented "Fighting the Bean Counters" at the 12th ICCC

No comments:

Post a Comment

Comments are moderated with the goal of reducing spam. This means that there may be a delay before your comment shows up.