Wednesday, April 23, 2008

The value of Security Theater

During HiTB Dubai (2008) I attended Bruce Schneier’s keynote speech based on his "The Feeling and Reality of Security" post. The fundamental premise is, “You can feel secure even though you're not, and you can be secure even though you don't feel it.” Most of the time in the infosec industry we’re transfixed on what activities truly make things more secure and tend to ignore/ridicule what provides the latter, commonly known as “security theater”. We argue over what solutions should fall into which bucket.

There was a particular point in Bruce’s speech that peeked my interest in that there really is value in learning how to create good security theatre. For example, most of us are familiar with the comedy that is airport security. Flying by all measurable factors is much safer than others forms of transportation such as driving, but we expect certain precautions to be taken even though they really don’t reduce security risk. So we consent to metal detector searches, X-rays, pat downs, shoe and laptop removal, ID check points, etc. Because if we didn’t the general public would not “feel” safe enough to fly.

As I was discussing with Bruce over lunch afterwards, security theater does in fact add a lot value to the business and consumer by helping people make the right risk decisions albeit for the wrong reasons. People will feel safe enough even though they are not and go about their daily lives. I wasn’t expecting Bruce to agree with this characterization, but he did. This was further enforced by another story example he gave of tamper-proof bottle caps.

Apparently some time ago there was an incident where pill bottle were secretly opened, poisoned, and placed back on the store shelf. People died and a lot of news resulted (because it was rare) causing a state of fear. While the odds of anyone meeting an untimely death in this way in astronomically low, people stayed away because they no longer felt safe and sales dropped. Something had to be done.

To combat the situation the bottle manufactures introduced something called the tamper-proof cap. The way it was marketed, because they now have this new innovative secure design, this type of thing could never happen again. Despite a number of ways the tamper proof cap could be defeated, a syringe being one, people felt safe and went back to buying even though “real” security did not change. Amazing.

I then began to think what really makes for good security theater. Can a generic strategy or methodology be developed? We need something describing the fundamental aspects that must be in place to influence people to feel safe while behind the scenes we g about implementing the truly effective solutions. Something like th 7 strategies of effective security theater. Maybe this has already been written and I just missed it. If so, let me know. If not, we should be aware and familiar with these technique as it might make us more valuable overall.


Awesome AnDrEw said...

It's interesting that you've brought this topic up, because only recently was I having one of those occasional and meaningful conversations about how the general public has become complacent with security in a general sense. A lot of it is merely psychological, but it seems to put the overall group at ease. Do the physical dead-bolts and locks on doors make people feel more secure? Sure they do, but they can easily be circumvented through the use of "bump keys", power tools, or just a good old fashion boot through the door.
The same idea really applies to computer security as well. How many people go out and buy a Linksys router, push that little button for the "secure setup", and then believe that their network is impenetrable despite the fact WEP is inherently vulnerable, the keyphrase is as small as it possibly can be, and the default security settings never do anything? "Hacker Safe", PCI compliance, and everything else only serve the purpose of alleviating the average (or less than average) individual's concern for privacy and security, and nothing more.

P.S. I believe the incident you referred to was with Tylenol in the middle to late 1980s, and I'm also almost positive it was Arsenic or Cyanide that was placed within the pills.

Cello Muser said...

Hi Jeremiah. Interesting post. I would like to get more of your perspective about who benefits more from “security theater” and whether you think there is reduction in risk by utilizing security theater.

Is security theater more to benefit the consumer / end-user by making them feel more secure? I do not disagree that there could be value to a business – but it depends on the implications to the user and if they think they were mislead should an incident occur where their privacy was breached or were targets of some other type of unlawful activity where they experience a loss. A reduction in consumer / end user confidence and or trust is a loss form and one could argue that if security theater is misused – solely to gain confidence trust – in absence of security controls – the magnitude of loss in other forms (like law suits, class actions, fines) would go up – should an incident occur.

Or, is security theater meant to be a deterrent – which could be argued as a security control - to the bad guys? Your example, with the medication bottle reflects that it was effective to build back up consumer trust in that product – but there appears to be no data on how effective the controls were against the bad guys since the tamper proofing mechanism were implemented. Apparently, what the manufacturer did was effective

In this scenario, the bottle manufacturers were able to both decrease the threat capability of a certain threat community as well as reduce the magnitude of loss – from a previous incident - but potentially future incidents depending on the circumstances.

As an aside, some of the terminology in my comment (risk, loss form, threat capability) are in the context of the FAIR risk assessment methodology.

Dan Weber said...

I remember the Tylenol scare.

People were overreacting and fleeing Tylenol, but the attack could have happened to any other brand.

Jeremiah Grossman said...

@Andrew, oh yes, I'm sure the concept must have been discussed over and over again, I think its nice that Bruce has given it a name so everyone knows what each other is talking about. For my part I don't think the general public has become complacent so much as they don't have the time or the expertise to judge risk for adequately. At least not on everything all the time, so they put the trust in some authority. The rely on the experts. We go to doctors, lawyers, FDA, MPAA, and so on. What I'm most interested in is how TO create effective security theater. That has got to be a skill in and of itself.

@Cell, excellent question and I'm not sure I have much concrete to offer that you probably haven't already considered. When you ask, "who benefits more" or "can security theater be abused," you land on very shaky ground.

In my opinion security theater COULD be used to benefit the customer and the business, but it doesn't have to. In fact the customer is probably rarely helped unless its in the direct benefit to the business to do so. The business could very well be completely self-serving and not take any REAL security measures going forward.

Most security experts like to be able to identify the different between real security and security theater, but that can be extremely challenging. As it is to tell if the business has done anything other than security theater even when we spot it. I guess what Im saying is all scenarios are probably still on the table.

pete said...

One way we've been revealing security theater is through the measurement of an attack surface. We can factually measure how large the exposure is to threats then we can also see what effect the controls have on reducing that exposure. When it's just security theater or the wrong control applied then there is less or no reduction of the exposure size. For example, we looked at Airport security and found that the fragmented use of authentication (items you need to have and those you may not have to board) although have been called security theater actually could minimize certain threats. However it is not effectively enforced or controlled and it does not scale (to other threats or multiple passengers).

Now we can do this for systems, networks, and web applications as well. In our SCARE project we even apply this method to source code.

What it comes down is not what you have for security but how it works. But if security people keep insisting on having certain security solutions instead of having certain security operations then we won't come out of the hole anytime soon. And all these regulations that outline solutions are only making solution makers more secure (financially).

LonerVamp said...

Jeremiah, I think some certifications are trying to accomplish this sense of security. Lots of people will happily wrap themselves with the warm blanket of PCI. But then when things like Hannaford happen, it hurts the image of PCI more than anything. Did PCI suddenly become less valued? No. Us geeks knew the holes all along. But other people have been buying into some theater (self-made or influenced by the media...) with PCI.

Other than that, the best prescription might be having a solid security plan that includes best practices and the well-known protections. In order to accomplish a level of security theater, you need to tackle subjects whose threats and counter-measures can be explained to an executive in 2 minutes. If it is too detailed, specific, or technical, it cannot be used (yet) as part of the approach.

Get the people that matter to feel more secure based on those best practices. This lends credibility and results to your campaign to later implement the truly effective security measures that are more at home in the bowels of the IT/Sec departments.

One caveat to security theater is when a company starts drinking its own kool-aid. So your customers feel secure. And you, the good security geek, want to implement the truly effective solutions. Why would management buy into that and spend money on it, when they feel secure?

This is where a big divide begins, between the geeks yearning to implement the truly effective security vs the risk managers who will only implement as much security as is economically supported.