Security Metaphor Contest - DerbyCon - WINNER ANNOUNCED

[Josh More <jmore () starmind org>]

There were a lot of great entries.  I have collected them below and
rewritten them all so they are somewhat more genericized.  (This is
part of what the paper is about).  However, as I said in the original
post, credit is where credit is due.

To cut to the chase, the winner is Kenton Riley.  The submarine idea
is something I've never considered and it works in a lot of different
ways.  Since this is a totally biased process, I'm going to pick the
one that's most useful to me, so that's it.

However, there were some honorable mentions.

Amar Yousif's idea of data as cash is great.  Especially the concept
of "data is like cash, but it's not your cash, it's your bosses'
cash". I've long used the analogy of "each data record is like a $20
bill", but extending that to "a $20 bill that should be in your boss's
wallet but has been given to you for safe keeping" is much more
powerful.

I like Shawna Turner-Rice's medical analogies. As some of you know,
I've been exploring medical psychology and looking for ways we can
draw on that in our field.  I think that there's tons of research to
do here and the more analogies we find that overlap these fields, the
more we can test.

Kenton's bug removal analogy to ape grooming was also interesting.
Specifically, the unexplored lined analogy that primates do this to
remove bugs and to build rapport in the group. Properly done,
code-based bug removal and tighten group unity and help everyone
understand the infrastructure better.  This not only removes bugs, but
prevents new ones from getting in.

Here is the complete list for everyone's reference.

Thanks for playing... and if you get another idea, please let me know.
My goal is to turn this into a community resource.

-Josh More

------------------------------
Here's the list.
------------------------------

Laptops are like promiscuous people having unprotected sex with
numerous partners.  You never know how many partners they've had, who
they've been with and what they might have been exposed to. Thus, you
should take precautions to limit your own exposure. - Stephen Snyder


Security can be compared to football
* The firewall is your defensive line. It lacks finesse, but will
generally stop the big threats.
* Other defensive strategies (NIPS, NIDS, etc) are like linebackers.
They're there to catch things that get through the defensive line.
* Well written code is like cornerbacks. They keep restrict software
to the known, safer, paths
* Web Application Firewalls (WAFs) are like safeties. They activate
when a cornerback needs assistance and helps prevent targeted attacks.
* The Security Operations Center (SOC) is like the team of assistant
coaches. They keep an overall eye on the details.
* The Security Lead is like the Defensive Coordinator. That person
collects all the data and makes the strategic decisions around
resource usage.
- Jonathan Turner


Security, in its various elements, is like water, with different phase
states depending on how you look at it.  All are needed.
* People are like liquid water. They move around the system and keep
things running.
* Processes are like water vapor. They don't have much to them, but
they convey information over great distance.
* Technology is like ice. It's not very flexible itself, but it
provides a hardened defence.
-germ



Primates groom one another regularly, picking through one another's
fur looking for bugs to eat. They won't find all the bugs, but after a
grooming session, the number of bugs on each ape will be lessened.
Over time, bugs can kept to a minimum.  -Kenton Riley



SCAP 1.2 is like building a brand new smart phone. You need the phone
itself (SCAP processing engine), the apps that perform functions (SCAP
content) and an application store (content repository) -Shawna
Turner-Rice



Anti-virus is a lot like a vaccine. The technology is specific and
time-based, but not perfect. Even with a vaccine, you can get ill from
the viruses that are not covered. In contrast, Heuristics are like
antibiotics. They are highly effective against specific classes of
threats, but the more they're used in the industry, the less effective
their strategies are. Over time, both anti-virus and heuristics are
needed to protect you, but you should be aware that just as biological
agents adapt and evolve to bypass our defenses, malware does as well.
This is why you must run both and keep them up to date.  -Shawna
Turner-Rice



The initial product penetration test is a lot like a person going to
the doctor for the first time. There will always be many findings. The
difficulty is in identifying which ones are actionable. The younger
the person or code happens to be, the more of the findings that will
be actionable. This is why security is best considered at the
beginning of a project, not the end.  -Shawna Turner-Rice



Many attackers attack systems and network just like thieves go after
buildings in the movies. Techniques like casing the perimeter,
identifying the patterns of the guards and slowly testing defenses
apply. In the physical work, this can involve throwing rocks to find
motion detectors, making sounds to distract guards and finding
unprotected areas. In IT, this can involve throwing packets to find
IDS/IPS systems, sending emails to target employees and finding areas
of attack. -Shawna Turner-Rice



Private data should be thought of as cash. You should know how much
you have and where you keep it. You should prevent it from
accumulating in unprotected areas.  If you have to carry it around,
make it's protected (in a wallet / with strong encryption).  Since the
data belongs to someone else, don't move it around without explicit
authorization -Amar Yousif



The network is like a castle. To defend the castle you need walls, a
moat, archers, guards, a drawbridge, etc. Many castles even have a
secret door that is used by the townspeople. They use this to bypass
the hassle when they need to go out to work the fields. However, this
system only works so long as the townspeople are trustworthy and can
be relied on to keep the secret door secret. Skilled attackers ignore
all the castle's defense and focus instead on the known weakness. By
befriending or posing as a townsperson, they can access the secret
door, sneak in, and lower the drawbridge.  If a back door exists, it's
going to be used.  -Michael Smith



Think of a network like a manned submarine. The submarine is useless
without the people inside. It exists to both protect the people from
all that water and to get them where they need to go.
* To reduce the risk of a breach, exterior doors should only be opened
under specific situations. New doors should not be added while
underwater.
* All existing (factory-installed) doors are air-locked with only one
door openable at a time, preventing one door failure from causing a
breach.
* To protect against a breach from harming the people, there are
bulkhead doors that can be shut to compartmentalize the damage
* Sometimes people go a bit nuts trapped under the water and try to
get out. The submarine should do its best to prevent this.
* Because of the danger of the water, anything in direct contact with
it must be hardened.
* Because breaches have happened in the past, all submarines must have
a plan for responding to breaching
* If a breach does occur, many assessments should be run before
re-exposing the submarine to the water.
* Just because you're in the submarine and cannot see the water, does
not mean that the threat has vanished.
-Kenton Riley



Distributed denial of service attacks are like tsunamis. They tend to
be triggered by a single event and take a while to get to you.  In
many cases, they are fairly mild, but sometimes they compound and
build as they approach you. This can result in an unmanageable
catastrophe. If you wait for them to get huge, you may never be able
to protect yourself against them. -Gaurang Pandya




A security program is like a boat.  If it's poor, it's like a boat
with holes in it. You can spent so much time plugging the holes and
bailing water that you fail to progress towards your destination.
However, if you take the time make your boat seaworthy, you will have
a much easier time getting where you're going.  -Jason Gillam
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com