First of all what is BYOI is a series I’ve decided to create to “talk” about #identitymanagement so it is about #security, #governance, #management and many other aspects of the #IAM realm.
Few days ago I was sit on a bench in one of those mega-hyper-shop center where you may buy everything you want and obviously one of the things they offer is free wi-fi, of course is not an #open one but you first need to register, in this case with your cell phone number to obtain the first 2 hr. free. Observing the “appealing” wi-fi advertise many questions came to my mind:
- Do you trust this “free” and “public” service provided by a “someone” (the provider) you don’t actually know without doubts ?
- Do you share so easily personal info’s (cellphone,etc… ) based on the simple fact that this provider is suggested by “someone” else you trust (you buy stuff in this place remember?)?
- Is it the level of security you apply to your data/information based on the perception you have or an habit you apply “no-matter what or who” you refer to?
the last question made me think more and more..is it security something tangible or it is more something related to the subjective perception we have regarding many aspects like: the level of sensitiveness of data we own, how we related with the “outside” world in terms of protection and so on?
Based on a generalist definition (i.e.: Wikipedia) of security :
Security is the degree of protection against danger, damage, loss, and crime. Security as a form of protection are structures and processes that provide or improve security as a condition.
so based on this definition one would say that Security it is a sum of tangible structures and operation well defined and clear enough to guarantee to everyone to have, at least, the right level of information when, in example, you are requesting 2 hr. of Wi-fi free service from a public provider.
But is it so simple? I’ve already blogged about “the level of trust” we have (here) so I’ll not come back on it now, so as I said I was asking my self if when we “talk” about security it is a a perception or an habit? Well, let me do a step back and start my analysis:
on the 24th of April 2012 I’ve tweeted this:
24 April 1824 B.C Troy was attacked by Greeks and their Trojan Horse, it was the first real example of a "virus" attack /cc
So apparently it is a “useless” information, something you retweet just because it’s a funny thing..let alone, please, if the information is real, confirmed, based on reality or not by now…
In the original tweet I would even add a link to explain my source (here), and there wasn’t intentionally any kind of “sociological experiment” with that… @mikko was there just ‘cause I thought it could be one of the things he like to tweet.
What happened? well hundred of retweets immediately after his retweet, some negative reaction, some interesting “ I explain you why you are wrong” tweet. All normal but..what is a tweet? is an information NOT confirmed by anybody if not by the source who tweet, you trust the source you share the information.
Do you remember another way of attack similar to that? Let say..I bring you a “gift” and the person who bring it to you is a trusted source (aka the Trojan Horse).
so the tweet is composed by two “aspects”:
1) the gift : “24 April 1824 B.C Troy was attacked by Greeks and their Trojan Horse, it was the first real example of a "virus" attack”. this is not the Trojan Horse since it is just the honeypot used to let you accept the real Trojan Horse.
2) the “trojan horse”: @mikko (sorry but yes you were my “sociological trojan horse”), this is the real Trojan Horse nobody could be sure that his retweet was made by him really.
let’s call things in a different way:
tG: is “the gift”, it’s the the attacker will use to infect you
tH: is the Trojan Horse, it is the “gift” you present to be accepted in my case a “source of trust” @mikko.
ToA: is the Time of Attack that will occur when the value of tG + tH is major than a definded level (call it loT “level of Trust”),
So the loT is simply defined by what? it is just the assumption of risk you have based on the value you give to the “source”, it is just a subjective evalution everybody do.
Again we are back to the first question:
is it security an habit or a perception?
everybody reposted my original tweet did it based on the information in the tweet itself, it was not subject to the gift or the Trojan horse, but simply evaluate the information, security is than an habit (hA).
hA: I behave not because I trust you but on the basis that I evaluate your potential impact toward my “systems”.
loT =(tG+tH)/hA where the loT should tend to zero always.
those that retweeted @mikko where different types, but mostly they did because he did it…it is a perception of the risk (pR) where:
pR: is the value from X to 1 you define based on how much you trust the source, where zero is the maximum level of trust.
so your loT is:
The attack occur when the value of ToA is major or equal to loT.
so in this case the security is a simple perception of the risk and do not consider the security defense, in example I disable firewall since I am inside my Org ecosystem.
Now…I was still sit on the same bench… looking a the teen in front of me busy typing the cell phone number on the provider registration webpage and thought that we are in 2012 and still there are greeks and trojans, trojan horses.
it is appealing, it is #open, it is #public and should be an habit to remember that the electronic device you are using is still full of sensitive data, that you are asked to act as the security guy not simply trust in his/her capability to protect you.
In the end, are you a trjoan or a greek?