QOTD - Hutton on the Fallacy of Security as Engineering

A security management approach focused solely on engineering fails primarily because of the “intelligent” or adaptable attacker. For example, if security were pure engineering, it would be like building a bridge or getting an airplane in the air. In these cases, the forces that are applied to the infrastructure do not adapt or change tactics to cause failure. At worst, in engineering against nature we only have a difficult time adapting to forces unforeseen due to a combination of factors.

But InfoSec has to deal with the behaviors of attackers. Their sentience includes creativity and adaptability. The wind does not act to deceive. Gravity and rust do not go “low and slow” to evade detection. Rain does not customize its raindrops to bypass umbrellas. But sentient attackers do change to evade defenses and reach their goal.
-- Alex Hutton, who "works in Risk Intelligence for a Fortune-something company." (src: http://newschoolsecurity.com/about/)

Src: What is Information Security: New School Primer « The New School of Information Security

No comments: