What is too much "security"?

Közzétéve
2024-08-12 10:00
Written by
AlanDixon - member of the CiviCRM community - view blog guidelines

and is that really a thing? 

I’ve noticed an increase in questions about security over the past year. While I would say that you can’t be too secure, I’m not as convinced that you can’t have too much “security”. The difference is that “being secure” is not the same as doing things in the name of “more security”.

Corporate Security Bullshit

One of the challenges in making good choices about your website security is the noise from what I like to call “corporate security bullshit”. Here’s a post from a few years ago to be clear about what I’m talking about: https://homeofficekernel.blogspot.com/2021/11/a-strange-passion-for-security.html

Considering that large corporations that sell internet related services have a prime interest in security, and that they have a lot of resources, you might reasonably assume that they are a good model for how to implement security measures. But you’d be wrong, and I’d argue for two reasons.

The first one is that the modern large corporation is a kind of social virus that by design makes choices to maximize making money for shareholders, not for the benefit of consumers or society in general, so security of their services isn’t their prime goal.

The second part of the argument is that internet security is complicated and can be expensive and there is little incentive for them to be honest about it, so getting anything usefully true from their communications is not in their interest.

Two sources about what’s going on in corporate security that I like are:

If you are paying attention, you’d notice that there are large security breaches each year, and that often they can be attributed to terrible security management decisions on the part of large corporations.

Two perspectives on security

Okay, so we can’t trust what most corporations say about their security, and probably don’t want to imitate many of the things they actually do. That doesn't mean all is lost, and there are a lot of smart people who do share useful things about internet security, and many of them might even work for large corporations.

When approaching the specific question “is my website secure” or “how can I make it more secure”, I like to categorize responses into two perspectives:

  1. Things you can do to make it more secure, or “best practices”.
  2. Enumerating and measuring risks, and prioritizing/thinking about how to minimize them.

They’re both useful perspectives, but the origin of my post’s title comes from decision-making that only includes the first one.

Or, to put it another way: if you’re connected to the Internet, you’re never secure. It’s dangerous to make a decision about security that doesn’t admit that and have a process to identify and understand all your risks.

What are the risks of too much “security” and how will I know?

That’s all fairly abstract, so let’s get specific. How can you have too much security? The answer is of course “it depends”, and any generic advice anyone can give you is going to be of limited value without considering the specifics. But since I’m posting this as a CiviCRM blog post, let’s assume you have a civicrm website and someone is telling you that you need X, Y or Z, where X, Y or Z is a ‘security measure’.

If, for example, you are required to comply with PCI standards (as required if you accept credit card payments on your website), then you have a collection of “security” requirements that you have to claim to be following. One of those requirements is that you need a password of a long enough length and sufficient complexity, and that you need to change it every 3 months. There are reasonable grounds for a requirement like that, because computers are getting more powerful and automated password “cracking” of simpler passwords gets more in reach. But for a small CivICRM site, particularly one with off-site payment processing, the PCI requirement is not only overkill at this point in time, it generates its own cost in both effort/time and the risk that the people who have to live with that requirement are going to make their life less onerous and end up making the site less secure (yellow post-it note with this month’s password anyone?).

If you decided that you really did need to comply with this measure, and wanted to be responsible, you might have used a service called LastPass that was sold to remedy the complexity problem. And then you’d now be in a new problem after they were hacked. More reading: https://krebsonsecurity.com/2023/09/experts-fear-crooks-are-cracking-keys-stolen-in-lastpass-breach/

So the challenge with security isn’t as simple as a shopping list of measures that you weigh according to their cost, you also have to understand why that measure exists, the degree to which the risks it is attempting to mitigate are relevant for your site, and the potential hidden costs of implementation.

What’s the take away?

This post isn’t intended as a rant, it’s intended to help you make good choices about security, so let me summarise my advice:

  1. It is not true that all security measures improve security (even in the hypothetical world where cost is not a factor).
  2. Understand that anyone telling you about the importance of a specific measure may have an incomplete understanding of your context, and also may have a vested interest in your use of the measure which doesn’t necessarily align with your interests.
  3. Your website is always at risk. Your biggest risk is usually the one you haven’t yet identified or understood.
  4. If you are justifying ignoring security advice with “I’m not a target” or “I can’t afford it”, your specific decision might be right, but it’s the wrong reasons.

And finally, in the spirit of open source, please comment if you have questions, stories and/or additional advice to share.

Filed under

Comments

My argument against "corporate security bullshit" is admittedly a simplified argument. Here's a much better description of this problem as evidenced in the recent "Crowdstrike" disaster that will cost billions of dollars: https://www.lawfaremedia.org/article/the-crowdstrike-outage-and-market-…

Here's a good quote: "Right now, the market incentives in tech are to focus on how things succeed: A company like CrowdStrike provides a key service that checks off required functionality on a compliance checklist, which makes it all about the features that they will deliver when everything is working. That’s exactly backward. We want our technological infrastructure to mimic nature in the way things fail. That will give us deep complexity rather than just surface complexity, and resilience rather than brittleness."

Here's another blog post with the same message: https://www.linkedin.com/pulse/every-cybersecurity-list-should-risk-ran…

His boiled down advice in one example of 21 recommendations was that you should implement multifactor authentication and patching before any of the other ones. And that security training for your employees, which wasn't on the list, is more important than any of them.

His solution? Do not use or rely on un-risk-ranked lists.