Is poor security better than no security at all? Discuss

Viewing 8 reply threads
  • Author
    • #3983

      I did a search and dont see this topic else where, but please correct me if I am wrong.
      We have a large amount of knowledgable and talented people on this site, so I thought this could be an interesting topic of debate.

      So what do you think, is poor security better than no security at all?
      My thoughts are some what torn on this issue. If we deploy security to something it usually means we have something to protect, this in itself may attract attention. However if we implement a poor or weak solution, are we then infact causing ourselves more work and actually increasing the risk of exploitation from what we want to protect.

      I want to say that something is better than nothing, but at the same time in some ways I am undecided. Thoughts and opinions guys and gals.

    • #25435

      That’s a bit deep, I’m guessing everyone will have their own opinion, likely in conflict with mine, but here goes:

      Depends what you mean by ‘poor’. If the implemented security (for the sake of example patching & perimeter filtering) isn’t sufficient to stand up to the general background noise of automated scans and attacks then you may as well not bother. In my experience, systems with security this poor isn’t concerned a valuable asset by it’s own, potentially with no confidential or protected data, but the real threat is the damage and actions this box can take once compromised, both as a launching ground for further intrusion attempts or additional scanning/attacking of third parties.

      If the system has data requiring protection then the security implemented needs to be able to withstand a level of attack in line with what is going to be thrown against the environment, if it can’t withstand the risks then again, why bother?

      Unfortunately, the above assumes that all admins and security personnel are able to provide the adequate level of security for their environment. As this isn’t always the case then I do believe that any security is better than no security at all. I’m constantly amazed at the ways people are able to compromise systems, so fully believe that no system can be fulle secure (and remain usable). To me, the key is to know the level of security in place, know it’s weaknesses (and mitigate the best you can) and monitor the environment for signs of compromise to respond rapidly and appropriately.

      Above all practice defense in depth, no single piece of security hardware or configuration will provide a silver bullet, but with the right combination of ‘poor’ security the overall environment can largely impenetrable.

      I’d agree with most of your comments but I’m struggling to understand your arguement that implementing poor security may actually increase risk to an environment; what’s your logic?

      Nice question though, nothing quite like a debate with no right answer

    • #25436

      Hiya Andrew, good response.
      It wasnt a statement as such, more of a question.

      For example. Lets say a company doesnt deploy AV because they dont believe there is a benefit. Then at a later date they have a rethink and implement an AV solution, and for some reason the AV solution has a vulnerability associated, this then gives an attack vector. So where the company better off without AV protection and not know about possible risks already in / entering the network, or are they better of with protection from these possible risks, but implementing another.

      I am just trying to spark some interesting debate, I dont think there is a right or wrong answer. I cant remember the topic now, but I remember reading something about a door, and is it better without a lock, as when you add a lock, you need a hole, and this adds a weakness and pressure point to the door.

    • #25437

      Poor security or no security at all, is no “real” questions for me at all. If someone has to implement some sort of security but knows that it is lacking in some areas why would she not try to secure those too? Only thing i can imagine right now is maybe because of money, but then I would suggest to focus on the most important and maybe obvious security features.
      If someone is serious on implementing security but doesn’t know that it could be done better, she doesn’t know that it is poor security at all and is not aware of it (therefore the question of implementing poor/ weak security or none at all is not possible on this). This scenario may not occur in a company where a security section is available and responsible, but thinking on a small or new company where someone has to do this kind although it is not usually her duty or responsibles.

      The example you have given with the door is interesting, but without lock it would be even easier to go through it as you have nothing to do but walk. If there is a lock, even it is a poor one, you have to bring up some effort and time in order to bypass it, even it is not worth to mention.
      I think similar about the AV-software. Although it may be vulnerable for some sort of exploit, the benefit from such a software is bigger than its disadvantages.
      I think when security is implemented it should be compared by its advantages and disadvantages, usability, importance, range and a lot more facts.
      When I talk with some sort of customers of even with people in free time about such topics I mostly recommend to hire on a regulary basis a company which does security assessments and similar in order to keep everything as safe as possible. Teaching security awareness to the employees on a regular basis, including possible threats, would certainly not a bad idea at all.

      When implementing security it is important to keep in mind that not everyone has security awareness and general knowledge of computers. So even poor security may add additional layers of protection which may maybe not prevent hackers but scriptkiddies from penetration.

      As stated before, I think too, that no absolutely security is possible.

    • #25438

      Keep the discussion going guys, its interesting.
      I did some searching last night and found the quote that resurfaced in my mind to post this discussion.
      Its from the OSSTMM v3

      The Bad Lock Example
      Is a bad lock on a door better than no lock at all? An Analyst must use Critical Security Thinking
      (CST), a form of logic skills to overcome the innate sense of security we carry to understand why
      bad controls can increase the attack surface to greater than no control at all. Further study and
      practice in CST is available through ISECOM partners as part of certification training.
      Common thought is that adding controls with limitations are better than having none at all. Is it not
      better to have a poor lock than to have no lock at all? After all, as conventional wisdom suggests,
      a wisdom borne of emotion rather than verification, some “security” is better than none. This is why
      the analogy of the lock is such a good example and actually does better to answer the question
      then any other because it shows so well how we misunderstand controls that are so common
      around us.
      Ask anyone who has had to break open a locked door where they kick or hit the door to open it?
      That answer differs whether it is a key lock opened from the outside as opposed to a bolt lock on
      the inside. There’s a reason for this.
      When a lock (which is considered the authentication control) is added to a door, the heavy, solid
      door needs to have a space hollowed out and the lock inserted. That creates a limitation, a weak
      spot in the door. So does adding a handle. Doors with no handles or internal locks do not have this
      limitation. However they require the door to be opened from the inside in another means. So to
      open a door with that kind of lock, you kick or hit the door at the handle or lock mechanism.
      If there is a bolt lock, that limitation does not exist because the door remains solid. Those doors
      often require a force to open that will sooner break the door than the lock. Doors made to
      withstand high pressures have the bolts on the outside and the opening mechanism in the center
      of the door as a small hole, like doors on a boat or submarine, to avoid the weaknesses of
      hollowing out part of the door.
      Now to more directly answer the question: if it is better to have a weak lock than no lock. This
      question refers to a door with the minimum, a cheap or simple key lock (authentication) that can
      be bypassed by someone who wants to enter. So if we know the authentication is weak, then we
      know somebody can get in and even worse, they can do it without damaging the lock or the
      door which means we may have no knowledge of the intrusion. If you think, well, that’s okay
      because our problem isn’t the real crooks, it’s the opportunists looking for the low-hanging fruit
      then you’re making a risk decision and that does not affect your attack surface which is made
      from what you have and not what you want. Furthermore, by having a lock at all implies, most of
      all to the opportunists, that there is something of value inside.
      If you add a control, any control, you increase the attackable surface of anything. If that new
      thing you add brings a new attack vector then you were probably better off without. In some
      cases, the new attack vector is smaller than the actual amount of safety the new control gives
      you. However, a good control will have no limitations and can shrink the attack surface.
      A lock in a door should not be easily subverted or add to the attack surface in a significant way.
      Such a lock requires force to open and that adds another control then which the lock provides,
      alarm. A broken lock is a good alert of a break-in.

    • #25439


      I suppose that WEP would be a good analogy for this debate.
      It can be cracked in a few minutes, yet many people, and companies, are happy to use it to ‘secure’ their wireless network on the assumption that it is safe.
      10 minutes on Google would show these people just how insecure it really is, but that apparently is too much effort.
      But that aside, it does still offer some security, or at least stops the casual user from stealing bandwidth.  With that, it does seem to be better having poor security than none at all…


    • #25440

      Poor security is better than no security at all, as long as it is acknowledged as poor. Poor security can cause a false level of assurance.

      As an example, a client was in the process of retiring plain-text protocols on their network. While upgrading, there were many instances of upgrading to SSH v1. While this is an improvement, it may give a false sense of assurance — SSH v2 was instead recommended.

    • #25441

      @ElCapitan wrote:

      Poor security is better than no security at all, as long as it is acknowledged as poor. Poor security can cause a false level of assurance.

      My thoughts exactly. Some level of security is good, the problem is when you rely on and *trust* that weak security. A good analogy for this is “security through obscurity.” While it can’t be trusted it does take more time for an attacker to bypass the control and additional time/resources spent by an attacker is never a bad thing.

    • #25442

      But then again, why should someone implement security when she knows it is weak if not because of money? When I only have the possibility on WEP or no wireless encryption at all, I would use WEP. But when I have more options available and I chose WEP, I do it probably because I don’t know of its weakness and think I am “secure”.

Viewing 8 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2022 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.


Sign in with Caendra

Forgot password?Sign up

Forgot your details?