Many people are still not getting it. IT security has to be a fundamental component in any IT application. It’s not something you can easily slap on later. But still every so often, when I talk to “IT professionals” about various projects, IT security continues to be an afterthought. Most people are just concerned about rolling out features. Many people understand the importance of code modularity, code re-use, and many other nice principles of software engineering. But few actually think about designing security as a fundamental part of the application.
Some people think IT security is like real world physical security. You can design and construct a building, then sort out details like the locks, the doors, and the perimeter fencing later. When you take this idea to build application systems, the idea is that you can figure out authentication, access controls and firewalls later. Unfortunately, things aren’t so simple.
The truth is that things aren’t so straight forward in the physical world either. It’s just that with the physical world, the flaws can be seen more obviously, so if you think more deeply, you can appreciate new angles that need to be tackled and deal with the risks as needed. For example, people understand that there can be threats like bombs, gate-crashing vehicles, fire, floods, etc, and if these need to be dealt with, they will do so. Obviously, some of these issues need to be thought out during the design phases of the building project.
With application systems, the threats are not seen, and they are not properly appreciated. You can tell people about them, but many will still not give the entire matter of IT security due attention.
The worst of it is when people know a little, but think they know “enough”, will do something in-between to address the risks, then live in the false sense of security that all threats have been sufficiently neutralized. Knowing “a little” is often more dangerous than not knowing at all.
Security needs to be addressed holistically. You’ve probably heard the saying that the chain is only as strong as the weakest link. There is no point in fortifying a single component in the chain. If you make the front door of your house so difficult to break into, the burglar would just climb in through the window.
Another thing that I hear from time to time is about security through obscurity. In this day and age, some IT people still believe in this. It’s funny that I’m doing my reservist now, and it has something to do with security too. The army is very much a firm believer in security through secrecy. It doesn’t work. But the people who run it thinks it does. Oh well, maybe they really do know better, but things are just being implemented wrongly.
The 911 incident is probably about one of the most tech-savvy terrorist attacks to date. It’s not IT, no doubt. But they’ve moved on from making bombs to flying big planes. Just think what might be possible had terrorists turned to IT security vulnerabilities. I still cannot believe that one of the big take-home messages from a SCADA security talk I attended was to keep your Windows patches up-to-date.