Avoid Security Theater When Safeguarding Your Network
I have recently been in several meetings where I have been asked to provide advice on network and security designs. Many of the conversations revolved around the obvious fear of what is possible … but what truly surprised me was how many times I had to remind people not to participate in the drama of false security—otherwise known as Security Theater. Security Theater is defined as “the practice of investing in countermeasures intended to provide the feeling of improved security while doing little or nothing to actually achieve it.”
Many security techniques of the past have now become Security Theater. By themselves, access control lists (ACLs), firewalls, and intrusion detection are no longer enough. The advent of the Internet of Things (IoT) era brings a heightened level of threat, the like of which has never been seen before.
Security Theater is all around us, and we participate in it nearly every day, but the truth is that it doesn’t actually make us more secure. Flat routing tables, for example, create a breeding ground for security breaches. Many believe that LANs are flat and routing is not. That couldn’t be further from the truth, especially from the perspective of a hacker. All that a hacker needs is access to the first routing hop and he can see and probe any and everything within your network. This means that an air conditioner can be used to steal customer numbers or medical records.
As a further example, ACLs on VLANs do not help once you are at the routing layer. Firewalls have holes that are intentionally left open, like port 80 for simple web browsing.
Surprisingly, a lot has been written on this topic. Bruce Schneier is a prolific writer and presenter on this topic. One of my favorite selections is his classic TED talk called The Security Mirage.
Along this line of thinking, I submit that firewalls and ACLs are psychological crutches that make you feel secure, but they alone don’t actually protect your critical infrastructure from being compromised.
In a previous blog post, Rob Joyce, Chief of the NSA’s Tailored Access Operations, gave four fundamental tips to organizations to better protect their network and IT assets. Number two on the list was to segment networks and data. His reason for stating this is two-fold. First, network traffic that is segmented is isolated from other traffic and unseen from outside the segment. Second, a well segmented network means that if a breach occurs, it can be contained. The difference between a contained and uncontained breach is the difference between an incident and a catastrophe.
Hopefully this perspective can lead your organization to have a candid conversation about your existing security model. With the exponential growth of IoT, we are no longer building networks just for people, we are building them for Things … and oh, by the way, humans are also on there too. I will leave you with one parting thought. If everything is flat, then you are in danger of being hacked from your thermostat!