Pained by Security Analogies
September 21st, 2007

Whenever I have to resort to using some kind of physical-world analogy to explain an Internet security principle, I can't but feel that I'm doing a disservice to the people listening.  Depending upon the audiences involved, my analogies have ranged far and wide - jumping from classic home security defenses (e.g. burglar alarm, deadbolts, fences, etc.) through to safety devices in cars (antiskid breaking, airbags, roll-cages, etc.) and even bank surveillance systems (e.g. steel vaults, video cameras, timed locks, etc.).

One of the problems I have with these typical 'themes' is that they just don't adequately map to how businesses actually operate and manage their security.  It's easy to use elements to help explain specific security functions (e.g. a fence around a house represents a firewall, while motion sensing floodlights represent an IDS), but not so easy to explain things such as "preemptive protection".

Ad hoc Analogy

One of the trickiest ones I've had to deal with was the comparative difference between behavioral technologies and signature based protection in relation to uniquely identifying malware threats.  The best analogy I could come up with at the time made use of bullet-proof vests. 

Lets say you're wearing a bullet-proof vest and you feel an almighty whack and you know that someone's just taken a shot at you.  Your vest stopped the bullet.  With a "signature-based" bullet-proof jacket, it automatically tells you the caliber and make of the bullet.  Meanwhile with a "behavioral-based" jacket, it automatically tells you that the shot came from the window on the third-floor balcony to your 4-oclock position. 

Which one is giving you the information you really need to know about the current threat?  Do you need to know what hit you, or where it came from if you're to dodge the second shot?

Explaining Defense-in-depth

So, I was trying to think of a way to really explain the principles of defense-in-depth (or defence-in-depth if you're using International English), but I also wanted to find an analogy that was preventative rather than drawn from the classic "safety equates to security" genre.

And, you know what, it's been staring me in the face all the time. Rain!

Think of rain as the threat.  What steps do you need to take to protect against getting wet?

Typically, before you go out in to the rain, you'll take some kind of protection with you - be that an umbrella, a rain coat, gumboots (wellingtons or rain-boots if you're not a kiwi), or some North Atlantic survival suits.

The level of protection you take with you depends upon the perceived level of "threat".  For example, if you're going to be out all day and the weather man said that the probability of scattered showers was going to be 60%, you'd probably pack an umbrella.  However, if he'd said heavy thunderstorms you'd probably be wearing a full set of waterproofs.

What would defense-in-depth equate to then?  If you're expecting heavy showers and only a bit of wind, you'd probably be wearing a rain coat, waterproof trousers, gumboots and taking a golfing umbrella.  Each protection device thereby providing overlapping, yet complementary, protection.

It's also worth bearing in mind that you adjust your layers and types of protection depending upon the level of threat.  For example, an umbrella, undoubtedly useful at keeping the rain off your head, isn't really going to be worth much if you're on a shipping boat in the Bering Strait during a typical storm.  Instead you'd be better off opting for the full survival suit.  Then again, if you're planning on taking the dog for a walk around the park with a light drizzle, that same survival suit would be a little over-kill.

The same principles apply to network security.  Depending upon the level of exposure to threats, you'll want to dress appropriately.  For example, deploying a typical e-commerce web site, you could compare the firewall to an umbrella, router ACL's as the rain-coat, IPS as the water-proof trousers and passwords as the gum-boots.

Anti-spyware Umbrella Hats

Following the same analogy theme, I'd also be cynical about some of the security gimmicks of the world.  Take anti-spyware for example.  At some time in history someone invented the "anti-spyware" industry.  It wasn't a new technological threat, it was an evolution of an existing group of threats.  And yet, for several years (way too many by my count) anti-spyware was the 'must-have' protection.  Luckily it's now been relegated to just another security tick-box that any sensible anti-malware solution already has covered (not that it requires any thing extra).

What would I liken anti-spyware to?  Why, one of those dorky umbrella hats of course.  The perfect example of something you thought you needed, but was already covered by something much better that's been around a lot longer.


    Copyright 2001-2007 © Gunter Ollmann