Tuesday, October 21, 2008

Cassandra complex

In computer security there is a kind of Cassandra complex.
When the security analyst perceives risk in a situation, it's always something that 'could' happen.
He's actually predicting the future, in a way.
In most cases, though, he's not taken seriously enough... hence 'the Cassandra complex'.

Let's analyze why this happens.
  1. People don't want to know. Ignorance is bliss.
  2. People try hard to avoid thinking what bad things could happen, mostly if it means work for them. They'll try not to listen or simply discarding your recommendations.
  3. People will avoid believing in you because that way it will become their responsability.
  4. If it's not really broken... then it doesn't need fixing.
And the consequence is that you will be a Cassandra.

So, how can you avoid being a Cassandra? Let's see some tecniques:
  1. Utopian. Work from the begining with development and systems guys.
  2. Safe. Log everything you 'predict' and make sure it reaches everyone (e-mail or any other corporate tool).
  3. Evil. If there's a vulnerability, try to exploit it, film it and send it to their manager.
  4. Lazy. Do nothing and make sure you don't get the blame.
Whatever you do, anyway, make sure you follow this advice:
  1. Don't cry wolf at everything, choose what you notify as risk and avoid using FUD. If they ignore you and nothing happens you will start losing credibility.
  2. Justify every risk or vulnerability with background information, past experience, tests or whatever you have to believe there's risk.
  3. Record any not followed advice that went wrong and get metrics. Numbers convince better than words.
And finally, a kind of prediction from the Nostromo cyborg: 'I can't lie to you about your chances, but you have my sympathies'.

Top ten security habits from experience

From my experience as security consultant on several big and small companies I have seen many security practices that I find to be most useful.

I'll share them with you in the following list:
  1. Never plan security, let it happen naturally
  2. It's better to apply any security controls in the production envieronment
  3. No matter what you do, the security guys will know how to secure it
  4. Always trust your internal networks and users
  5. You don't have to notify security, it's their job to know what's going on
  6. Always blame the security staff when something goes awry
  7. Never read any security document
  8. Easy passwords might be guessed, strong passwords will be forgotten
  9. Better to spend in big, expensive, hype-type security consultancy projects than in cheap, small hands-on-security-that-works projects
  10. If they don't know it they can't attack it, obscurity is the best security technique
I hope these tips improve security in your company, if they're not already doing so.