Saturday, May 24, 2008

Security is all about breaking assumptions !

Anyone with a slight understanding of security would appreciate the fact that security is all about breaking assumptions. Any system is always built with certain assumptions because otherwise the system requirements will tend to be infinite. Hackers always target the assumptions to break the system. It thus becomes very important for system and process designers to be very careful about the assumptions they make for their system. I believe that systems which stand the test of time are the ones that have their assumptions clearly laid out and which provide their users a clear understanding of the strengths and weaknesses of the system.

While one may say that the above is clearly very logical and there is nothing surprising about it, reality indicates that not many get this simple axiom right. But there seems to be a paradoxical situation here. I said that a system cannot be built without assumptions and also that security is all about breaking assumptions. So that would imply that there is nothing called 100% secure !!! And as it turns out, that is precisely the point.
Vendors who claim that their products provide 100% security or are 100% secure are essentially trying to fool the customers or maybe even themselves.

A case in point, there was a very recent incident in the US involving the company LifeLock (read this). LifeLock is a company which guarantees protection against identity theft. Infact, its CEO advertises his own Social Security Number on the website and claims that their service guarantees complete protection against identity thefts. They do this by setting fraud alerts at the three major Credit Bureaus namely, Experian, TransUnion and Equifax. They thought that by doing this , anyone who tries to use a SSN not belonging to himself will get caught. But they made a very very big assumption here that any of the outfits like CreditCard companies, banks etc. will always run a credit check before activitating services for an individual. Guess what ! they were proved wrong in a really stupid way. Someone stole the CEO's own identity from his website and took a $500 loan in the CEO's name. The reason the fraud alerts did not get tripped was because the loan company did not bother to run a credit check at all !!

The take home message from this post is thus two-fold
  1. If you are a customer, carefully evaulate the security assumptions yourself without getting sold to the vendors advertising.
  2. If you are vendor, make sure that all your assumptions are clearly stated and avoid hidden ones.