One of the issues I emphasize teaching database security is that the layman's notion of "security," as regards information systems, is way off. Even practitioners like myself often casually say one system is secure while another is not secure. It just ain't so. Security is always relative, never absolute.
Lately, it seems that the students have caught on to this more quickly. And when you think of it, most people wise up quickly to the fact that there is no "complete security." Any information system has vulnerability. In fact, so does the U.S. Bullion Repository at Fort Knox. There are no guarantees - there is no "secure."
But what do we do, then, as security practitioners? Do we have no metrics for our work at all? Do we only have only comparisons? Perhaps Solaris might be more secure than Windows, does that actually mean it's secure enough for some given application system? Does that mean Windows isn't secure enough? Once we have deconstructed our thoughts of security in terms of absolutes, how do we understand the jobs we face or know when we're done?
I would suggest that we look at an attack from the assailant's point of view. Once we have basic security measures in place, we've blocked the script kiddies and other riff-raff. But if your information is valuable, some assailant may well be out there trying to get it. How do we know we've gotten "secure enough"?
I suggest we consider the amount it costs an assailant to breach our system as the primary metric for security of that system. Why? Because if we increase the cost of breach beyond the value the assailant can derive from it, we've handed him a no-win situation. He might as well pack up and find a softer target.
Now in this I am including not just cost but risk; the assailant faces many risks, including prosecution. Government sponsors could face international sanctions or retaliation. The serious assailant doesn't take these risks lightly.
And of course, this also illustrates that like every other business analysis, the "cost to breach" equation operates on multiple dimensions. But like everything else in business, it has to come down to money. We don't have an alternative valuation, and most hackers don't either.
Here Fort Knox could help us a lot, so let's pursue the physical security analogy a bit further. It seems no one has ever attacked Fort Knox to steal the gold. Why not? There's north of $200 billion in there - a bit heavy, perhaps, but the density makes it all the more compact. That's quite a payout! I think the obvious answer is that any plausible attempt would start out costly, and still be way too risky. There may be two or more divisions of the U.S. Army encamped around it. How much does it cost to neutralize them? It's in a heavily fortified building with perhaps multiple vaults. Every additional moment of time it takes to conduct the assault brings more and more of the world's fastest military closer to ending the attack - maybe before it has barely started. And the time needed to move 4000 tons of gold? And where will you take it - into the back woods of Kentucky? Finally, if the attack fails, the assailant may be dead.
Compared to Fort Knox, you may now see your system as easy pickings. Good! Now - what would you lose in case of breach? Money, reputation, customers, business strategies? What would an assailant gain? Now you're ready to determine what to do to "secure" your system.
Are there ways to make the attack not worth it? Here are some thoughts:
- conceal the protection measures in order to obstruct the assailant from assessing risk
- conceal the assets to obscure the potential payoff of a successful attack
- assemble layered security to increase the amount of effort needed
- impose time delays on attack vectors to add to assailant cost and risk of detection
- lobby for criminal statutes applying to your situation and make sure your sensitive resource fits within the statutes
- establish agreements with business partners obliging them to assume liability in case of breach, and total liability with damages if the breach originated from them
I'm no millionaire, but I have a nice house. My five-year-old MacBook or the last of my dad's antique furniture might be safer if I lived in a shack by seeming like a less likely target. But instead, I put locks on the doors and have security lighting and alarms. These things have proven to deter crime, but it's not because they're foolproof. It's that they increase the cost and risk of crime. They wouldn't be enough for Fort Knox, but I don't have gold bullion lying around. I'm OK.
So if you're casting about, tearing your hair out trying to figure out whether your information system is secure enough for the sensitive data it holds, consider this: have I imposed on potential attackers a sufficiently high cost to breach?