Dr. Johnston's Security Maxims: Sense and Humor

Having graduate students is like having a thousand sets of eyes and ears: they are always noticing neat stuff and sending pointers that stimulate thought or – as often – cause delighted laughter. Jan Buitron, CISSP, MCSE, ITIL Foundations Certified, Network +, who last appeared in this newsletter in a series of columns in September 2008, sent me a reference to a hilarious and valuable compilation of security maxims by Dr. Roger G. Johnston, PhD, CPP, Section Manager of the Vulnerability Assessments Section in the National Security and Non-proliferation Department of the Argonne National Laboratory.

Here are some of Johnston's maxims that evoked the most vigorous agreement and enjoyment (the comments are in the original document):

• Thanks for Nothin' Maxim: A vulnerability assessment that finds no vulnerabilities or only a few is worthless and wrong.
• Ignorance is Bliss Maxim: The confidence that people have in security is inversely proportional to how much they know about it. Comment: Security looks easy if you've never taken the time to think carefully about it.
• Show Me Maxim: No serious security vulnerability, including blatantly obvious ones, will be dealt with until there is overwhelming evidence and widespread recognition that adversaries have already catastrophically exploited it. In other words, "significant psychological (or literal) damage is required before any significant security changes will be made".
• Insider Risk Maxim: Most organizations will ignore or seriously underestimate the threat from insiders. Comment: Maybe from a combination of denial that we've hired bad people, and a (justifiable) fear of how hard it is to deal with the insider threat?
• We Have Met the Enemy and He is Us Maxim: The insider threat from careless or complacent employees and contractors exceeds the threat from malicious insiders (though the latter is not negligible.) Comment: This is partially, though not totally, due to the fact that careless or complacent insiders often unintentionally help nefarious outsiders.
• Feynman's Maxim: An organization will fear and despise loyal vulnerability assessors and others who point out vulnerabilities or suggest security changes more than malicious adversaries. Comment: An entertaining example of this common phenomenon can be found in "Surely You are Joking, Mr. Feynman!", published by W.W. Norton, 1997. During the Manhattan Project, when physicist Richard Feynman pointed out physical security vulnerabilities, he was banned from the facility, rather than having the vulnerability dealt with (which would have been easy).

In addition to the maxims, Johnston and his colleagues have published an extensive series of articles that are available for download or by request.

I was particularly impressed by the thoughtful, two-page summary entitled "Philosophy on Vulnerability Assessments" by Johnston, which includes the following list of "reasons why these [vulnerability assessment] tools fall short, including that they are too often:

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services and teaching. He is Chief Technical Officer of Adaptive Cyber Security Instruments, Inc. and Associate Professor of Information Assurance in the School of Business and Management at Norwich University. Visit his Web site for white papers and course materials.