Defense against the Dark Forces

From SecurityForest

As part of our personal rationalization defenses, we ignorantly replace information we receive with other content that is less
harmful and that allows us to respond actively.
Is there a correlation between the electronic defenses we build and the rationalization processes that are imprinted on every human being as a personal defense mechanism? Perhaps when we feel forced to build defenses rich in technology we are actually just
quieting our consciences, thereby turning a complex and unclear reality into something proven and logical.

Much of the activity in the security field is thought by many of us to be psychological in nature, motivated by fear, ignorance and even fad or fashion.
We need protection from the dark storm clouds of the evil forces gathering above our heads; we are desperate for a firewall umbrella to shield us from the rain drops, and are essentially preparing for a flood that may never come.

Over the past few months I’ve noticed the penetration of appliance “boxes” into the Israeli security market. Apparently, the tie between technology and psychology is more complicated than we thought - it’s not a correlation, but some kind of boy scout knot. Sometimes it’s best to just ask the questions and not bother listening to the echoed answers, so I’ll try to ask in a raised voice.
Do realistic concerns and the desire to deal with the uncertain attacks create in us a need to acquire uncertain technological
defenses? Do we feel that much safer when we buy a black box that looks different from a plain ‘ole server? Is this just the latest fad, a blip on the computer fashion screen? Is the black box in fact just a product of a rationalization system that let’s us not just “sit there” but “do something”, even if it’s just buying the latest gadget off the shelf to protect ourselves from an unknown attack?

We tend to feel safest when we’re convinced that we’ve taken all possible measures to defend what’s important to us.
Do our defensive actions flow from a psychological need for security actions, or from an in-depth analysis of the risks we face? Network administrators prefer to analyze the actions taken by other administrators of similar networks, figuring that the risks are similar, therefore the solutions should be similar. However, this type of comparison can be misleading, and can cause network
administrators to select solutions that are inappropriate to a specific scenario.
This tendency to do what the “other guy” is doing also creates a market force that drives security decisions in the wrong
direction, reinforcing the trend to pick the wrong solutions.

Nearly every security solution has a right to exist as an active solution to different types of security risks; but what about effectiveness, value, and total cost of ownership, as well as promotion of technological growth within the organization? At any given moment, it’s possible to turn a painful problem into a commercial advantage.

What are the appropriate actions you should take to ensure that you are implementing smart security:
1. Proper risk analysis
2. Analysis of the available technological solutions
3. Identification of existing defense opportunities within your organization’s networks
4. Use your authority over corporate entities to ensure that the actions derived from the analysis are implemented.
5. Psychoanalysis of the computer system; Analysis and understanding of the root of the problem, rather than its symptoms.

For example: Installation of an application firewall is often based on a need for defense from insecure code. In this case, there is a basic need for understanding the development process, defining a security policy for developers
and establishing security-based work processes.
This must go beyond the standard security quality assurance at the end of the development process - security considerations
have to be an inherent part of the development process from the design phase.
Incorporating security in the earliest stages of software development would result in the saving of thousands of dollars in the long run and create a market advantage for the organizations that develop secure code.
6. Assimilation of the conclusions and processes
7. Monthly or bi-monthly security system reviews
8. Understanding that the process starts with exploding the system security myths to allow a fresh, reality-based analysis.
And yet, how is it possible that most of us sense the same security solutions, and still perform the same actions? Is this off-the-shelf psychology or a product that provides a human solution to our needs?
Perhaps we can take some consolation in the fact that we are melding with the most basic of human instincts, therefore the answer lies not in technology but in the nature of our self-concept.
From the very character of the question we understand that the blackness of the box, the uncertainty regarding its function, allows us to acquire a greater sense of security than would the clean exposure of its workings.

And if there is a connection between a black box to basic human psychological instincts, we would do well to remember the words of Stanislav Whosawhatsis, famous for the song, “There ain’t no place like a hole in the ground”.