In Do We Really Need a Security Industry? Bruce Schneier writes:
The primary reason the IT security industry exists is because IT products and services aren't naturally secure. If computers were already secure against viruses, there wouldn't be any need for antivirus products. If bad network traffic couldn't be used to attack computers, no one would bother buying a firewall. If there were no more buffer overflows, no one would have to buy products to protect against their effects. If the IT products we purchased were secure out of the box, we wouldn't have to spend billions every year making them secure.
Bruce is right if you confine yourself to thinking that "secure" is the same as "zero vulnerabilities." This is one-dimensional thinking and correct as long as you stay within that one dimension. As I defined in The Tao of Network Security Monitoring, security is the process of maintaining an acceptable level of risk. I defined (using the common method) risk as the product of threat, vulnerability, and asset value, or R = T X V X A.
When thinking of security within the context of risk (which is what Bruce should be doing), that means I could also say the following:
- The primary reason the IT security industry exists is because IT products and services expose vulnerabilities.
- The primary reason the IT security industry exists is because IT products and services are confronted by threats.
- The primary reason the IT security industry exists is because IT products and services are valuable.
Therefore:
- If the IT products we purchased didn't expose vulnerabilities out of the box, we wouldn't have to spend billions every year making them secure.
- If the IT products we purchased weren't confronted by threats out of the box, we wouldn't have to spend billions every year making them secure.
- If the IT products we purchased weren't valuable out of the box, we wouldn't have to spend billions every year making them secure.
Reducing any one of those three components to zero would eliminate risk. Bruce sounds like he wants to work on the vulnerability side of the equation, but complete invulnerability is impossible. I prefer reducing the threat component through deterrence, apprehension, prosecution, and incarceration, but that is also not completely achievable. Reducing the asset value is probably not realistic. Therefore, risk always remains.
On a minor note, Bruce is also wrong strictly on the vulnerability side. Because security is the process of maintaining an acceptable level of perceived risk, security is different for everyone. I may be willing to pay a lot more for what I consider to be a "secure" product or service compared to another party. The vendor may not wish to devote the additional resources to "security" (really vulnerability reduction) that I desire. Alternatively, I may need the product or service for compatibility reasons (think interfaces with customers or partners) but not trust that vendor (think Microsoft's integration of security into the OS). In both cases, I can turn to a third party who works to improve the "security" of that product or service.
Hence, the security industry is born, and will continue to exist.
0 komentar:
Posting Komentar