On July 16, 2001 Bruce Schneier gave testimony before the Senate Subcommittee on Science, Technology, and Space of the Committee on Commerce, Science and Transportation. A complete transcript of his testimony is available here, and I strongly encourage it be read in its entirety. However, I want to emphasize a central theme from Mr. Schneier’s testimony:
Real-world security includes prevention, detection, and response. If the prevention mechanisms were perfect, you wouldn’t need detection and response. But no prevention mechanism is perfect. This is especially true for computer networks.
I expect there are a number of network administrators who will roll their eyes and say to themselves “oh please, not another soapbox on the need for better network security measures.” I agree vigorously with those readers and offer that in an age of increasing state sponsored cyber-warfare/terrorism and increasingly sophisticated private sector industrial espionage that we should give up the arms race. As technology professionals, developers, and engineers building the better mousetrap has not and will not prevent breaches, thefts, or the embarrassing publication of diplomatic “secrets” (http://www.wikileaks.ch/).
According to the archaeological record the lock was invented nearly 4,000 years ago and in 4000 years no lock has been created that cannot be picked, broken or circumvented. As Mr. Schneier points out in his testimony, criminals rarely even try to break the lock itself and find creative ways around the lock by any means necessary. We live in a world where the data, including credit card numbers, of 45.7 million customers can be stolen from a retail outlet without ever setting foot inside the building.
When I say we give up the arms race, I don’t mean to imply we give away that which must be protected, we just need to pay attention. Deploying more prevention measures, adding more locks to the doors, isn’t making our information assets substantially safer, but deploying monitoring solutions that have been effectively tuned and configured will increase the safety of those assets significantly. Chances are such that if you are an organization of any size you already have all the pieces you need to effectively mitigate the risks your assets are exposed to, but you may not have effectively deployed and configured those tools to maximize your ability to detect and respond to potential attacks. You may be in the position where all you really need is a good watch dog to make sure you know when someone is trying to climb the fence. Training that watch dog so that it doesn’t bark at every passing car but lets you know when a true threat presents itself is where true protection and security lie.