Blogger: Eric Maiwald
I was reading an article this week about the “hacking” of Intel’s Trusted Execution Technology. For some reason I was not surprised. Then today, I saw “Experts Reveal 25 Coding Errors That Let In Hackers.” The quote that I found interesting in this article was this “The Sans Institute said it was shocking that most of these common security errors are not understood by programmers.” I have to admit that I don’t find that shocking at all (whether the issue is the programmers making the mistakes or whether the problem is that their training was insufficient). What I’m shocked about is that security folks are shocked about it!
Humans are imperfect. We make mistakes all the time. If I ever forget that part I just have to type a few words and watch how many times I need to backspace to correct a typing error. We make mistakes when we design and build systems and products. Sometimes the mistakes are obvious (like when I type “dhe” instead of “the”) and sometimes the mistakes are subtle and hard to find.
Since we make mistakes, we have learned to live with this fact. A lot of times, people who build complex systems understand the likelihood of a mistake and they either build in some type of verification step within the system or the process of building the system requires multiple reviews and tests before it is put into use. For systems that control processes where the consequences of something bad happening are high, we not only build in verification checks but we also monitor the system. Often we also have people monitoring the people monitoring the system!
So why is it news when we find an error, or a mistake, or a vulnerability in software or hardware products? Why don’t we just assume that there will be mistakes in what we do? I’m not suggesting that we stop testing products or performing code reviews but I think we need to realize that the product of an imperfect human is going to be itself imperfect.
How does this translate into security and risk management? Well, if we assume that there will be errors and vulnerabilities in products and systems, we do not rely on a single control to manage our risk. It really is that simple. Oh sure, there are low risk cases where it does not make sense to pay for extra controls but when we have systems whose compromise will impact the enterprise or potentially cause injury or death, it behooves us to implement defense in depth. We don’t assume one control will always work. We install multiple controls. We monitor the system so that we can identify problems and react accordingly.
Last year, I wrote a blog entry On Response that mentioned how hard prevention is to do. Our mistakes are what make prevention hard. We can’t possibly construct the perfect preventative mechanism so we have to include additional controls that detect when our preventative controls fail and allow us to respond. This is just the way things are in our imperfect world. Rather than being surprised when you read about the latest vulnerability or error, just look at it as another reason why we don’t rely on just a single control.
Comments