Note: Nilesh's weblog is accessible to all versions of every browser. However, this browser may not support basic Web standards, preventing the display of our site's design details. We support the mission of the Web Standards Project in the campaign encouraging Internet users to upgrade their browsers. (Read More)

Nilesh's Weblog

«« Hi-Wi-Fi | Main | No Hassels »»

People, not Technology

October 12, 2002 03:59 PM


I am wanting this book of Crypto-guru Bruce Schneier - Secrets & Lies: Digital Security in a Networked World. For the lesser knowledgable souls, Bruce is the guy who invented the very popular Blowfish cryptographic algorithm and the Twofish algo. Bruce says in this very good article that people, rather than technology are important in security. How true! A general perception exists that computer systems should be fool-proof. But then they can never be. Instead they should be fail-smart.

No matter how hi-tech we go about securing our resources, our assets, our networks, people play the most important role. Say an IDS claims to detect about 90% of the attacks happening on our networks, the rest being false alarms, we would assume it to be a very fool-proof system. Assuming today you get about 10 'doorknob rattling' attempts a day on your Internet gateway, you will not be able to detect 1 attempt which is considered acceptable (not by me!). Now try increasing the sample space. Tomorrow, the attempts might increase to 1000. 90 of them are detected, but what about the rest 10? Won't they go unnoticed? How will you be alarmed about them? That's the gap created by relying too much on technology. Only people can close that gap.

Taking this example, let me say that an Intrusion Detection System is only an automated way of monitoring systems which an administrator did traditionally as a part of his job: scanning through the system audit logs & network audit logs looking for anomalies. Given the large number of systems an admin has to manage today, IDSes are a boon. They should help him do his job better. Not to make him lazy. He should not wait for an IDS to throw up an alert. He *has* to do the regular log sifting.

By giving importance to people, Bruce appears to be an absolute anti-techie guy. In fact, it is the reverse. He is an absolute techie, proven by the fact that he wrote two of the best crypto algorithms. He used to believe in relying on technology solely to secure systems. He used to think that crypto was a solution for all the computer related security problems. But then he got smartened by the discovery that a social engineering attack can give you access to the most secure computer systems in the world.

Indeed, Social engineering is the most dreaded form of security breach. A guy claiming to be the mail admin calls you up and asks for you password. You trust your colleague and give him one-time access to your computer. He installs a key-logger on your machine and has access to all that you access. He has access to all that you encrypt. Because he has your private key passphrase. Your screensaver password is your girlfriend's name. Technology cannot help here. It is people.

So what is the solution? As any decent security guy might tell you, good security is created by overlapping, cross-checking layers, to slow down attacks. You cannot just put up a firewall and forget your security concerns. In fact it increases. Putting up a firewall and forgetting about it gives you a false sense of security. You need a good admin to take a look at whats happening on a day-today basis. You need people. A firewall is just an example. This is applicable to any system. Be it on the Internet, be it on your LAN.

Interesting: Read this white paper on Towards the Scalable Implementation of a User Level Anomaly Detection System. Or read the news about it. This fueled my thoughts on this post. You could call it the next generation IDS. They claim to predict 94% of the time if a user is trying to move beyond his normal way of working. This could possibly mean an attempted break-in. Again as I said …



Comments

7 comments have been added. Add your comments.

1. charles assisi said...

ummm... scheiner is good.... in fact i reviewed secrets and lies for businessworld a couple of months ago

on Oct 13, 03:49 PM | link to this comment


2. charles assisi said...

ummm... scheiner is pretty good. secrets and lies is an excellent book. got some outstanding insights and every cto ought to read it.

on Oct 13, 09:41 PM | link to this comment


3. Nilesh said...

Charles, have you read it? Oh! I need that book! I am going to buy it very soon. :-)

on Oct 14, 08:03 PM | link to this comment


4. Nilesh said...

I have read Bruce's Applied Cryptography though not completely. Very good, easy understandable language for a normal technical person.

on Oct 14, 09:19 PM | link to this comment


5. Codey said...

God=Schneier=Cryptogram

still reading the very 'short' article by Atlantic.... that is one site that has never heard of attention spans and its longevity on the Web ;-)

Fail-smart........ nice concept.....

btw: your about page is a 404..... as of now any information about nilesh cannot be found..... uh-oh :-O

on Oct 14, 11:46 PM | link to this comment


6. Nilesh said...

Ah! sorry for the 404, codey, but you might see it in a few days... :-) Basically I am a bit lazy putting up the about page.

on Oct 15, 12:08 AM | link to this comment


7. Codey said...

lazy eh? there we have something in common finally!

on Oct 16, 12:30 AM | link to this comment


Your Comments
* Please do not put off-topic comments. We reserve right to delete them at our discretion. You can post anonymously. If you are unable to see your posted comment immediately, it may have been queued for moderation. So do not submit it again. HTML formatting is allowed (only a, b, i, br, p, strong, em, ul, li & blockquote are allowed). Do not put paragraph tags. They are automatically inserted.

Name


Email


Homepage


Comments (required)


Remember Me??







nilesh.org
© 2000-2003. Nilesh Chaudhari (mail AT nilesh.org)