In addition to being a renowned theoretical physicist, Albert Einstein was also quite a wizard at writing security procedures and processes.
Who better to secure the Manhattan Project than a genius? Well alright. I admit, I may be exaggerating a bit, but many a wise quote is attributed to him that applies to the revision or design of a security process, procedure or policy. Below you will find a short selection of his wisdoms that I find worthwhile when considering security.
“Out of clutter find simplicity; From discord find harmony; In the middle of difficulty, lies opportunity."
Often called Einsteins’ rules of Leadership, this could be a description of the challenges faced when implementing security in almost any organization. There will definitely be clutter, discord and difficulty, but the true security guru sees the patterns and forms amidst all of the chaos.
"Technological progress is like an axe in the hands of a pathological criminal."
There is a fallacy of thinking that throwing more hardware, software, gadgets and manpower at something will solve any and all issues. In most cases, the basics first need to be in order, and that is where most security in the wild fails. The infamous Sony Hack could have been prevented by a simple Input-Sanitation Function to catch SQL Injection. That would have cost nothing but a few hours of development time.
Also, because I can’t resist… For all of you BYOD fans that drag your I-Whatever into work, even though you should know better: Just because you like something, doesn’t make it any more secure. The “I” in I-Pad and I-Phone might as well stand for Insecure.
"Any intelligent fool can make things bigger, more complex, and more violent. It takes a touch of genius -- and a lot of courage -- to move in the opposite direction."
Sometimes, less is more. One of the root causes of insecurity is complexity and scale. So, simplifying and streamlining can go a long way towards avoiding some of the worst security problems. But this needs to be done elegantly, and with skill, bringing us to our next point:
"Everything should be made as simple as possible, but not simpler."
This, and its sibling, “Everything should be as complicated as needed, and not more complex”, should be applied to create an upper and a lower metric to assess your policies. Can it be made simpler? Is it so simple that it does not really address the problem it was meant to solve? Is a 20 step procedure really necessary, or will it just be bypassed by your users because it costs them too much effort and time?
"We can't solve problems by using the same kind of thinking we used when we created them."
This, in my opinion, is Albert’s most valuable nugget of truth. “When all you have is a hammer, every problem looks like a nail” is a more graphic wording of this wisdom, but the sentiment is the same. Of course, this is also one of the most difficult gotchas to avoid. Very few people can even recognize that they are falling into this trap, yet alone bring their ego to admit to it and delegate a task to another person, or take a different, novel or even risky approach. People tend to avoid and even prevent things they do not understand, or directly “feel” themselves.
“The secret to creativity is knowing how to hide your sources."
Don’t try to reinvent the wheel. Lots of folks have spent their precious time writing up guidelines and best practices. You can thank them for it by reading and applying them.
"Peace cannot be kept by force. It can only be achieved by understanding."
Getting your users to work with you is far easier and more cost effective than trying to coerce them into compliance. Monitoring should be used for the really nefarious stuff-- the type of activity that leads to a data breach or a lawsuit. Productivity monitoring is not a security task, and device health monitoring should not be done in a SOC. You will dilute and risk your security posture by insisting it is.
"The only thing that interferes with my learning is my education."
Corporate is always big on security training, preferably death by Power Point, or the recently discovered 21st century replacement, a web-cast. Traditional Security Training is great to fulfil compliance and insurance regulations, yet users are as clueless about security as ever, so something hasn’t panned out as envisioned. Users learn best when challenged intellectually, and when they are treated as grownups. That means that interactive sessions, for example, incorporating aspects that are also relevant to them outside of work, will have far greater success than just making them sit through hours of boring slides.
"Two things are infinite: the universe and human stupidity; and I'm not sure about the universe."
Never underestimate the power of stupidity. Try to make your policies intuitive to follow, and test them on a wide variety of users before deploying them into production. That way you can try to catch misunderstandings and misinterpretations before they become a bigger problem.
"Whoever undertakes to set himself up as a judge of Truth and Knowledge is shipwrecked by the laughter of the gods."
This one is generally a good tip, and is applicable in many ways. Try to listen to your users -- they might not know much about the high black art of hacking, but they can tell you what is clumsy or easy to bypass. Another aspect of this is to not believe that you can actually find every security problem by yourself, i.e. get audited regularly by third parties.
"Not everything that counts can be counted, and not everything that can be counted counts." (from a sign hanging in Einstein’s office at Princeton)
There is a tendency to over-rely on metrics. Metrics can only take you so far, especially where complex systems with emergent properties and unpredictable, uncontrollable third parties are involved. The gathering and calculation of useless metrics also costs time and resources that could be better spent doing actual, useful security work. Only rely on and include metrics that will help you provide better defence, and avoid grand-looking, but redundant management reports. Find better ways of proving security’s worth. A review of other businesses that had pretty reports, but were breached all the same usually does the job in my experience. The best way of showing the value of something that is taken for granted is by showing what happens when it fails. While we cannot instigate such a breach on our own turf, it does pay to highlight these failures when they appear elsewhere. Fear, as any marketer will tell you, is a great motivator to do what is right.
I hope these have given you a few pointers, ideas or inspirations. More importantly, I hope this column shows you that the Security Guru has to be more than just a technician, and that his education must reach far beyond I.T. It is easy to forget that there is a reason for the procedures, policies and approaches that we use and advocate beyond having some in place - they are meant to secure the assets we have been entrusted with, and most importantly, someone, somewhere actually has to use and follow these. Looking at them through a different set of lenses will allow you to place them in a real world context, something often forgotten because we are so intent on just getting work done.
For some more quotes attributed to the great Einstein look here.