.

Is poor security better than no security at all? Discuss

<<

dalepearson

Sr. Member
Sr. Member

Posts: 357

Joined: Thu Nov 09, 2006 10:03 am

Post Wed Jul 08, 2009 3:28 pm

Is poor security better than no security at all? Discuss

I did a search and dont see this topic else where, but please correct me if I am wrong.
We have a large amount of knowledgable and talented people on this site, so I thought this could be an interesting topic of debate.

So what do you think, is poor security better than no security at all?
My thoughts are some what torn on this issue. If we deploy security to something it usually means we have something to protect, this in itself may attract attention. However if we implement a poor or weak solution, are we then infact causing ourselves more work and actually increasing the risk of exploitation from what we want to protect.

I want to say that something is better than nothing, but at the same time in some ways I am undecided. Thoughts and opinions guys and gals.
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 929

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Wed Jul 08, 2009 4:17 pm

Re: Is poor security better than no security at all? Discuss

That's a bit deep, I'm guessing everyone will have their own opinion, likely in conflict with mine, but here goes:

Depends what you mean by 'poor'. If the implemented security (for the sake of example patching & perimeter filtering) isn't sufficient to stand up to the general background noise of automated scans and attacks then you may as well not bother. In my experience, systems with security this poor isn't concerned a valuable asset by it's own, potentially with no confidential or protected data, but the real threat is the damage and actions this box can take once compromised, both as a launching ground for further intrusion attempts or additional scanning/attacking of third parties.

If the system has data requiring protection then the security implemented needs to be able to withstand a level of attack in line with what is going to be thrown against the environment, if it can't withstand the risks then again, why bother?

Unfortunately, the above assumes that all admins and security personnel are able to provide the adequate level of security for their environment. As this isn't always the case then I do believe that any security is better than no security at all. I'm constantly amazed at the ways people are able to compromise systems, so fully believe that no system can be fulle secure (and remain usable). To me, the key is to know the level of security in place, know it's weaknesses (and mitigate the best you can) and monitor the environment for signs of compromise to respond rapidly and appropriately.

Above all practice defense in depth, no single piece of security hardware or configuration will provide a silver bullet, but with the right combination of 'poor' security the overall environment can largely impenetrable.

I'd agree with most of your comments but I'm struggling to understand your arguement that implementing poor security may actually increase risk to an environment; what's your logic?

Nice question though, nothing quite like a debate with no right answer
<<

dalepearson

Sr. Member
Sr. Member

Posts: 357

Joined: Thu Nov 09, 2006 10:03 am

Post Wed Jul 08, 2009 4:33 pm

Re: Is poor security better than no security at all? Discuss

Hiya Andrew, good response.
It wasnt a statement as such, more of a question.

For example. Lets say a company doesnt deploy AV because they dont believe there is a benefit. Then at a later date they have a rethink and implement an AV solution, and for some reason the AV solution has a vulnerability associated, this then gives an attack vector. So where the company better off without AV protection and not know about possible risks already in / entering the network, or are they better of with protection from these possible risks, but implementing another.

I am just trying to spark some interesting debate, I dont think there is a right or wrong answer. I cant remember the topic now, but I remember reading something about a door, and is it better without a lock, as when you add a lock, you need a hole, and this adds a weakness and pressure point to the door.
<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1253

Joined: Mon Apr 28, 2008 9:20 am

Post Thu Jul 09, 2009 1:10 am

Re: Is poor security better than no security at all? Discuss

Poor security or no security at all, is no "real" questions for me at all. If someone has to implement some sort of security but knows that it is lacking in some areas why would she not try to secure those too? Only thing i can imagine right now is maybe because of money, but then I would suggest to focus on the most important and maybe obvious security features.
If someone is serious on implementing security but doesn't know that it could be done better, she doesn't know that it is poor security at all and is not aware of it (therefore the question of implementing poor/ weak security or none at all is not possible on this). This scenario may not occur in a company where a security section is available and responsible, but thinking on a small or new company where someone has to do this kind although it is not usually her duty or responsibles.

The example you have given with the door is interesting, but without lock it would be even easier to go through it as you have nothing to do but walk. If there is a lock, even it is a poor one, you have to bring up some effort and time in order to bypass it, even it is not worth to mention.
I think similar about the AV-software. Although it may be vulnerable for some sort of exploit, the benefit from such a software is bigger than its disadvantages.
I think when security is implemented it should be compared by its advantages and disadvantages, usability, importance, range and a lot more facts.
When I talk with some sort of customers of even with people in free time about such topics I mostly recommend to hire on a regulary basis a company which does security assessments and similar in order to keep everything as safe as possible. Teaching security awareness to the employees on a regular basis, including possible threats, would certainly not a bad idea at all.

When implementing security it is important to keep in mind that not everyone has security awareness and general knowledge of computers. So even poor security may add additional layers of protection which may maybe not prevent hackers but scriptkiddies from penetration.

As stated before, I think too, that no absolutely security is possible.
<<

dalepearson

Sr. Member
Sr. Member

Posts: 357

Joined: Thu Nov 09, 2006 10:03 am

Post Thu Jul 09, 2009 2:31 am

Re: Is poor security better than no security at all? Discuss

Keep the discussion going guys, its interesting.
I did some searching last night and found the quote that resurfaced in my mind to post this discussion.
Its from the OSSTMM v3

The Bad Lock Example
Is a bad lock on a door better than no lock at all? An Analyst must use Critical Security Thinking
(CST), a form of logic skills to overcome the innate sense of security we carry to understand why
bad controls can increase the attack surface to greater than no control at all. Further study and
practice in CST is available through ISECOM partners as part of certification training.
Common thought is that adding controls with limitations are better than having none at all. Is it not
better to have a poor lock than to have no lock at all? After all, as conventional wisdom suggests,
a wisdom borne of emotion rather than verification, some “security” is better than none. This is why
the analogy of the lock is such a good example and actually does better to answer the question
then any other because it shows so well how we misunderstand controls that are so common
around us.
Ask anyone who has had to break open a locked door where they kick or hit the door to open it?
That answer differs whether it is a key lock opened from the outside as opposed to a bolt lock on
the inside. There's a reason for this.
When a lock (which is considered the authentication control) is added to a door, the heavy, solid
door needs to have a space hollowed out and the lock inserted. That creates a limitation, a weak
spot in the door. So does adding a handle. Doors with no handles or internal locks do not have this
limitation. However they require the door to be opened from the inside in another means. So to
open a door with that kind of lock, you kick or hit the door at the handle or lock mechanism.
If there is a bolt lock, that limitation does not exist because the door remains solid. Those doors
often require a force to open that will sooner break the door than the lock. Doors made to
withstand high pressures have the bolts on the outside and the opening mechanism in the center
of the door as a small hole, like doors on a boat or submarine, to avoid the weaknesses of
hollowing out part of the door.
Now to more directly answer the question: if it is better to have a weak lock than no lock. This
question refers to a door with the minimum, a cheap or simple key lock (authentication) that can
be bypassed by someone who wants to enter. So if we know the authentication is weak, then we
know somebody can get in and even worse, they can do it without damaging the lock or the
door which means we may have no knowledge of the intrusion. If you think, well, that's okay
because our problem isn't the real crooks, it's the opportunists looking for the low-hanging fruit
then you're making a risk decision and that does not affect your attack surface which is made
from what you have and not what you want. Furthermore, by having a lock at all implies, most of
all to the opportunists, that there is something of value inside.
If you add a control, any control, you increase the attackable surface of anything. If that new
thing you add brings a new attack vector then you were probably better off without. In some
cases, the new attack vector is smaller than the actual amount of safety the new control gives
you. However, a good control will have no limitations and can shrink the attack surface.
A lock in a door should not be easily subverted or add to the attack surface in a significant way.
Such a lock requires force to open and that adds another control then which the lock provides,
alarm. A broken lock is a good alert of a break-in.
<<

Phyr3Ph0x

Newbie
Newbie

Posts: 10

Joined: Sun Jul 05, 2009 10:27 pm

Post Fri Jul 10, 2009 3:31 pm

Re: Is poor security better than no security at all? Discuss

Hiya.

I suppose that WEP would be a good analogy for this debate.
It can be cracked in a few minutes, yet many people, and companies, are happy to use it to 'secure' their wireless network on the assumption that it is safe.
10 minutes on Google would show these people just how insecure it really is, but that apparently is too much effort.
But that aside, it does still offer some security, or at least stops the casual user from stealing bandwidth.  With that, it does seem to be better having poor security than none at all...

'ph0x
<<

elcapitan

User avatar

Newbie
Newbie

Posts: 28

Joined: Mon Apr 28, 2008 10:16 am

Post Fri Jul 10, 2009 9:20 pm

Re: Is poor security better than no security at all? Discuss

Poor security is better than no security at all, as long as it is acknowledged as poor. Poor security can cause a false level of assurance.

As an example, a client was in the process of retiring plain-text protocols on their network. While upgrading, there were many instances of upgrading to SSH v1. While this is an improvement, it may give a false sense of assurance -- SSH v2 was instead recommended.
CISSP, Security+, CEH, OPP, et alii
<<

timmedin

User avatar

Sr. Member
Sr. Member

Posts: 469

Joined: Thu Feb 05, 2009 11:18 pm

Post Tue Jul 14, 2009 6:19 pm

Re: Is poor security better than no security at all? Discuss

ElCapitan wrote:Poor security is better than no security at all, as long as it is acknowledged as poor. Poor security can cause a false level of assurance.


My thoughts exactly. Some level of security is good, the problem is when you rely on and *trust* that weak security. A good analogy for this is "security through obscurity." While it can't be trusted it does take more time for an attacker to bypass the control and additional time/resources spent by an attacker is never a bad thing.
twitter.com/timmedin | http://blog.securitywhole.com
<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1253

Joined: Mon Apr 28, 2008 9:20 am

Post Wed Jul 15, 2009 1:03 am

Re: Is poor security better than no security at all? Discuss

But then again, why should someone implement security when she knows it is weak if not because of money? When I only have the possibility on WEP or no wireless encryption at all, I would use WEP. But when I have more options available and I chose WEP, I do it probably because I don't know of its weakness and think I am "secure".

Return to Other

Who is online

Users browsing this forum: No registered users and 2 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software