Re: security theater is useful, stop abusing it [was: PCI]

[Benjamin April <ben_april () trendmicro com>]

A layer of security is nothing more than a
time-delay device. Some layers provide more delay
than others. Very often the so called "security
theatre" provides a delay equal to the time spent
studying it for weaknesses.

Security theatre and security by obscurity suffer
from the same weakness in that once the attacker
know what is going on behind the curtain the
benefit is negated. Either is a valid layer of
secruity IMHO, however it must be accepted that
once breached all value is lost.

 I'll be the first to admit that every time I go
through a TSA check-point and surrender my bottle
of water I keep waiting for the lights to come up
and the TSA staff to join hands and start singing
 and dancing. Thankfully it has not happened yet.
I can smell a production number from a mile away
and  all these folks need is a band.

Anyone who doubts the validity of security by
obscurity as a valid layer need look no further
than confiker. Can anyone doing analysis there
tell me SBO is not an effective tool? Yes its
effectiveness will run out, but at the moment it
is kicking our collective asses.

FTR: I spent about 15 years as theatrical
stage-hand somehow the "theatre" spelling stuck
with me.

Thanks
Ben



Gadi Evron wrote:
> Jon Kibler wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Anton Chuvakin wrote:
> > > > same answer: "I don't participate in security theater." I think this
> > > First, I am amazed how people so intelligent can hold opinions so
> > > shortsighted :-)
> > I unquestionably stand by my assertion that PCI DSS is pure security
> > theater at its worst. Perhaps you do not understand the concept of
> > "security theater"?
>
> Security theater does in fact have uses. Secrecy can be a strong line of 
> defense and psychological barriers are in fact barriers, as we are 
> dealing with human beings. So, security by obscurity is an extremely 
> useful tool, the problem is when it is the only one, it then becomes a 
> single, lonely, point of failure, and potentially a waste of resources 
> (TSA).
>
> Naming misuse of Security by Obscurity "Security Theater" gives it 
> negative connotations. It already had enough on its own. I'd be 
> interested in how people implement it successfully, as obviously the way 
> the industry just disses on it, is raising a generation of security 
> professionals who don't understand secrecy or how human nature is 
> manipulated positively, rather than just negatively.
>
> I don't see anyone here dissing on the underline concept of egress 
> filtering just because most frak it up. Think for yourselves, people.
>
> Semi related, Imri and I wrote an article on how security theater can 
> work, and how it in fact helps stop terrorist bombing in Israel. You can 
> find it here:
> http://www.csoonline.com/article/468569/Sometimes_Security_Theater_Really_Works
> (URL may break, so: http://tinyurl.com/5u2qmq)
>
>       Gadi.
> _______________________________________________
> Fun and Misc security discussion for OT posts.
> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
> Note: funsec is a public and open mailing list.


TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential and may be subject to copyright or other 
intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this 
information, and we request that you notify us by reply mail or telephone and delete the original message from your 
mail system.
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.