Miscellaneous Security

Brian J. Truskowski, General Manager of Internet Security Systems (ISS), gave a keynote presentation at RSA 2009. His talk touched on an interesting topic that he referred to as the “5 Key Factors of Complexity.”

He identifies that the key cause of compromise is human nature; the ability that humans are susceptible to social engineering. Instead of focusing on securing systems, Mr. Truskowski argues that we should design systems that are “resistant to human frailty.” He goes on to state, that designing these systems (by reducing complexity) is difficult.

According to Mr. Truskowski, the 5 key factors of complexity and the key to designing these systems are:

1. Threats
2. Compliance
3. Technology
4. Economics
5. Business Needs

Contrary to security, Businesses have to keep focused on all of these factors or they will be unsuccessful. Vendors however, are according to Mr. Truskowski, only focused on one of these factors… Threats. He argues, If an enterprise doesn’t focus on compliance, they are fined. If a business doesn’t focus on business needs, the business can’t change.

“It’s like building the titanic. The ship’s designers optimized around being able to withstand collisions at the sacrifice of maneuverability. There have been many theories over the years over why the Titanic sank, from Brittle steel to sub-standard rivets. But, in reality, it is obvious why the Titanic sank. It couldn’t get out of the way of the iceberg. The Titanic’s designers focused on size, strength, resilience, and luxury but not on maneuverability.”

I think Mr. Truskowski’s talk was the hidden gem at RSA. It is an interesting idea for security vendors to begin focusing on things other than threats. Of course, if the idea gets legs, it will be 10-15 years before any change occurs. It is great to see people thinking holistically about security.

The video/webcast can be seen here: (5 Factors of Complexity starts at 19:49)

From a security perspective, companies want simple solutions. As I walked the RSA expo floor a few weeks ago, this became very apparent.

Vendors were pitching products that were among other things, “in the cloud”, “self-maintained”, and “auto-updated.” It seems that companies are looking for simple solutions for complex problems. (Duh?)

As I walked around the exposition floor, I began to chuckle, realizing that there were more people in the Moscone center than there are attackers in the world. More money gets pumped into security products than actual money gets stolen. What an amazing idea.

Now, imagine I have a product that you can:

1. Plug into your network or computer.
2. Requires no “maintenance”.
3. Will prevent your network/computer from being attacked.
4. Alert you after it has successfully prevented the attack.

This was essentially every product that was being offered at RSA.

My two-cents: No product or grouping of products will prevent an attack. You can do some preventative measures, however, if an attacker wants to get you, they will.

Good Luck!