Re: security theater is useful, stop abusing it [was: PCI]

[Imri Goldberg <lorgandon () gmail com>]

On Tue, Mar 24, 2009 at 5:23 PM, Benjamin April <ben_april () trendmicro com>wrote:

> A layer of security is nothing more than a
> time-delay device. Some layers provide more delay
> than others. Very often the so called "security
> theatre" provides a delay equal to the time spent
> studying it for weaknesses.
>
> Security theatre and security by obscurity suffer
> from the same weakness in that once the attacker
> know what is going on behind the curtain the
> benefit is negated. Either is a valid layer of
> secruity IMHO, however it must be accepted that
> once breached all value is lost.


Let's consider a terror attack. While this may be true for planner, the man
actually carrying out the attack might not see things as clearly. While
being under the stress of the attack, he might not have the clarity of mind
to go through a check without looking very nervous and alerting the guard.

Furthermore, if you accept that some security checks depend on the
thoroughness of the guard, then when an attacker decides to face the guard,
he is taking the chance that the guard will not be thorough. Under these
circumstances, he might decide to attack a different place, with less chance
of being stopped, even if it means less casualties.
If you accept that, then you agree that even if the attacker knows about the
security theater, it still prevents him from implementing his original
attack.


-- 
Imri Goldberg
--------------------------------------
www.algorithm.co.il/blogs/
--------------------------------------
-- insert signature here ----

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.