Dr. Johnston’s Security Maxims: Sense and Humor

Opinion
Jun 1, 20093 mins

* He comes up with maxims such as thanks for nothin' and ignorance is bliss

Having graduate students is like having a thousand sets of eyes and ears: they are always noticing neat stuff and sending pointers that stimulate thought or – as often – cause delighted laughter. Jan Buitron, CISSP, MCSE, ITIL Foundations Certified, Network +, who last appeared in this newsletter in a series of columns in September 2008, sent me a reference to a hilarious and valuable compilation of security maxims by Dr. Roger G. Johnston, PhD, CPP, Section Manager of the Vulnerability Assessments Section in the National Security and Non-proliferation Department of the Argonne National Laboratory.

Here are some of Johnston’s maxims that evoked the most vigorous agreement and enjoyment (the comments are in the original document):

• Thanks for Nothin’ Maxim: A vulnerability assessment that finds no vulnerabilities or only a few is worthless and wrong.

• Ignorance is Bliss Maxim: The confidence that people have in security is inversely proportional to how much they know about it. Comment: Security looks easy if you’ve never taken the time to think carefully about it.

• Show Me Maxim: No serious security vulnerability, including blatantly obvious ones, will be dealt with until there is overwhelming evidence and widespread recognition that adversaries have already catastrophically exploited it. In other words, “significant psychological (or literal) damage is required before any significant security changes will be made”.

• Insider Risk Maxim: Most organizations will ignore or seriously underestimate the threat from insiders. Comment: Maybe from a combination of denial that we’ve hired bad people, and a (justifiable) fear of how hard it is to deal with the insider threat?

• We Have Met the Enemy and He is Us Maxim: The insider threat from careless or complacent employees and contractors exceeds the threat from malicious insiders (though the latter is not negligible.) Comment: This is partially, though not totally, due to the fact that careless or complacent insiders often unintentionally help nefarious outsiders.

• Feynman’s Maxim: An organization will fear and despise loyal vulnerability assessors and others who point out vulnerabilities or suggest security changes more than malicious adversaries. Comment: An entertaining example of this common phenomenon can be found in “Surely You are Joking, Mr. Feynman!”, published by W.W. Norton, 1997. During the Manhattan Project, when physicist Richard Feynman pointed out physical security vulnerabilities, he was banned from the facility, rather than having the vulnerability dealt with (which would have been easy).

In addition to the maxims, Johnston and his colleagues have published an extensive series of articles that are available for download or by request.

I was particularly impressed by the thoughtful, two-page summary entitled “Philosophy on Vulnerability Assessments” by Johnston, which includes the following list of “reasons why these [vulnerability assessment] tools fall short, including that they are too often:

• unimaginative

• full of sham rigor

• not context oriented

• inflexible and close-ended

• not sufficiently predictive

• ignorant of the insider threat

• used to justify the status quo

• not focused on the right issues

• dominated by groupthink and bureaucrats

• plagued by “shoot the messenger” syndrome

• not validated by hands-on or real-world testing

• not done from the perspective of the adversaries

• obsessed with past security incidents, not future ones

• overly focused on technology, hardware and physical assets

• overly binary in outlook (something is either secure or it is not)

• insistent on letting the good guys define the problem, not the bad guys

• conducted by personnel who don’t want to find problems — so they don’t.”

The typographic arrangement of these excellent criticisms reminds me of one of my favorite poets, e e cummings, who sometimes arranged his poems on the page to have a striking shape.

Kudos to Johnston and his team for entertaining and thought-provoking writing.