PaulDotCom mailing list archives
Security Metaphor Contest - DerbyCon - WINNER ANNOUNCED
From: Josh More <jmore () starmind org>
Date: Wed, 12 Sep 2012 13:54:26 -0500
There were a lot of great entries. I have collected them below and rewritten them all so they are somewhat more genericized. (This is part of what the paper is about). However, as I said in the original post, credit is where credit is due. To cut to the chase, the winner is Kenton Riley. The submarine idea is something I've never considered and it works in a lot of different ways. Since this is a totally biased process, I'm going to pick the one that's most useful to me, so that's it. However, there were some honorable mentions. Amar Yousif's idea of data as cash is great. Especially the concept of "data is like cash, but it's not your cash, it's your bosses' cash". I've long used the analogy of "each data record is like a $20 bill", but extending that to "a $20 bill that should be in your boss's wallet but has been given to you for safe keeping" is much more powerful. I like Shawna Turner-Rice's medical analogies. As some of you know, I've been exploring medical psychology and looking for ways we can draw on that in our field. I think that there's tons of research to do here and the more analogies we find that overlap these fields, the more we can test. Kenton's bug removal analogy to ape grooming was also interesting. Specifically, the unexplored lined analogy that primates do this to remove bugs and to build rapport in the group. Properly done, code-based bug removal and tighten group unity and help everyone understand the infrastructure better. This not only removes bugs, but prevents new ones from getting in. Here is the complete list for everyone's reference. Thanks for playing... and if you get another idea, please let me know. My goal is to turn this into a community resource. -Josh More ------------------------------ Here's the list. ------------------------------ Laptops are like promiscuous people having unprotected sex with numerous partners. You never know how many partners they've had, who they've been with and what they might have been exposed to. Thus, you should take precautions to limit your own exposure. - Stephen Snyder Security can be compared to football * The firewall is your defensive line. It lacks finesse, but will generally stop the big threats. * Other defensive strategies (NIPS, NIDS, etc) are like linebackers. They're there to catch things that get through the defensive line. * Well written code is like cornerbacks. They keep restrict software to the known, safer, paths * Web Application Firewalls (WAFs) are like safeties. They activate when a cornerback needs assistance and helps prevent targeted attacks. * The Security Operations Center (SOC) is like the team of assistant coaches. They keep an overall eye on the details. * The Security Lead is like the Defensive Coordinator. That person collects all the data and makes the strategic decisions around resource usage. - Jonathan Turner Security, in its various elements, is like water, with different phase states depending on how you look at it. All are needed. * People are like liquid water. They move around the system and keep things running. * Processes are like water vapor. They don't have much to them, but they convey information over great distance. * Technology is like ice. It's not very flexible itself, but it provides a hardened defence. -germ Primates groom one another regularly, picking through one another's fur looking for bugs to eat. They won't find all the bugs, but after a grooming session, the number of bugs on each ape will be lessened. Over time, bugs can kept to a minimum. -Kenton Riley SCAP 1.2 is like building a brand new smart phone. You need the phone itself (SCAP processing engine), the apps that perform functions (SCAP content) and an application store (content repository) -Shawna Turner-Rice Anti-virus is a lot like a vaccine. The technology is specific and time-based, but not perfect. Even with a vaccine, you can get ill from the viruses that are not covered. In contrast, Heuristics are like antibiotics. They are highly effective against specific classes of threats, but the more they're used in the industry, the less effective their strategies are. Over time, both anti-virus and heuristics are needed to protect you, but you should be aware that just as biological agents adapt and evolve to bypass our defenses, malware does as well. This is why you must run both and keep them up to date. -Shawna Turner-Rice The initial product penetration test is a lot like a person going to the doctor for the first time. There will always be many findings. The difficulty is in identifying which ones are actionable. The younger the person or code happens to be, the more of the findings that will be actionable. This is why security is best considered at the beginning of a project, not the end. -Shawna Turner-Rice Many attackers attack systems and network just like thieves go after buildings in the movies. Techniques like casing the perimeter, identifying the patterns of the guards and slowly testing defenses apply. In the physical work, this can involve throwing rocks to find motion detectors, making sounds to distract guards and finding unprotected areas. In IT, this can involve throwing packets to find IDS/IPS systems, sending emails to target employees and finding areas of attack. -Shawna Turner-Rice Private data should be thought of as cash. You should know how much you have and where you keep it. You should prevent it from accumulating in unprotected areas. If you have to carry it around, make it's protected (in a wallet / with strong encryption). Since the data belongs to someone else, don't move it around without explicit authorization -Amar Yousif The network is like a castle. To defend the castle you need walls, a moat, archers, guards, a drawbridge, etc. Many castles even have a secret door that is used by the townspeople. They use this to bypass the hassle when they need to go out to work the fields. However, this system only works so long as the townspeople are trustworthy and can be relied on to keep the secret door secret. Skilled attackers ignore all the castle's defense and focus instead on the known weakness. By befriending or posing as a townsperson, they can access the secret door, sneak in, and lower the drawbridge. If a back door exists, it's going to be used. -Michael Smith Think of a network like a manned submarine. The submarine is useless without the people inside. It exists to both protect the people from all that water and to get them where they need to go. * To reduce the risk of a breach, exterior doors should only be opened under specific situations. New doors should not be added while underwater. * All existing (factory-installed) doors are air-locked with only one door openable at a time, preventing one door failure from causing a breach. * To protect against a breach from harming the people, there are bulkhead doors that can be shut to compartmentalize the damage * Sometimes people go a bit nuts trapped under the water and try to get out. The submarine should do its best to prevent this. * Because of the danger of the water, anything in direct contact with it must be hardened. * Because breaches have happened in the past, all submarines must have a plan for responding to breaching * If a breach does occur, many assessments should be run before re-exposing the submarine to the water. * Just because you're in the submarine and cannot see the water, does not mean that the threat has vanished. -Kenton Riley Distributed denial of service attacks are like tsunamis. They tend to be triggered by a single event and take a while to get to you. In many cases, they are fairly mild, but sometimes they compound and build as they approach you. This can result in an unmanageable catastrophe. If you wait for them to get huge, you may never be able to protect yourself against them. -Gaurang Pandya A security program is like a boat. If it's poor, it's like a boat with holes in it. You can spent so much time plugging the holes and bailing water that you fail to progress towards your destination. However, if you take the time make your boat seaworthy, you will have a much easier time getting where you're going. -Jason Gillam _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- Security Metaphor Contest - DerbyCon - WINNER ANNOUNCED Josh More (Sep 12)