Too much security, is no security.

When too much security, is no security.

Can your home or bank account, e-mail or servers be too secure? Is it possible to “oversecure” that, which is most precious to you? Can you regret having your stuff being too secure? You probably already feel that indeed you can, let’s see what’s going on here. The thing is, you need smart and highly intelligent security systems in order for them to grant you the maximum possible safety. Unfortunately, we often create obvious and “brute” security solutions, that do more harm than good.

Your safe isn’t safe

The story goes like that. Let’s go back to the medieval times. Imagine there is a very talented thief, the Master Thief if you like. To spice things up, since he’s a master thief, he’s success rate on the next heist is say 90%. Which means he’ll probably get what has going for. He’s carefully planning the next heist. Now, one needs to decide — what’s worth stealing, from whom, and what the risk is. So it’s no surprise that he wants to narrow down options to a few most promising ones.

Now the thief takes a walk around the village to look for potential targets. He passes small houses, barns and stables, the inn. After a while, he sums up his potential targets. These being, a luxurious residence, a wealthy manor’s house and a small castle just near the village. These seem obvious right? Now, what these three targets have in common? Yes, you can say that they are most definitely well-guarded, every another should be harder to breach but at the same time, probably more lucrative to “do”.

All these aspects are true but you are missing one important, and more general point. The thing is, all of these three picks stand out from the landscape. The landscape being, individual small houses, barns, stables and so forth. Look at it this way, take a castle for an example:

Even from afar one can’t help but notice the great walls of the building, strong metal gates and fully armed guards. “Surely they are serious about the security” you think. And indeed, since they behave like so — you reason, there must be something valuable inside the castle. In other words, just because there is the castle, it gets quickly noticed by the thieves. And for a master thief with 90% success rate on the next heist, the game is worth the candle.

You don’t want to get tagged.

Here’s the thing — building and maintaining highly visible security measures gets you “tagged” right away. And standing out is a bad thing if you want to maintain the illusion that you have nothing valuable. It’s like constantly being in the spotlight. You put yourself in the position of a peacock in the Zoo or the Little Red Hood in the gloomy woods. No wonder everyone wants a piece of you.

This stupid castle is just asking for it, common!

Of course you can say, and you’ll be right, that setting up security measures, can be used as a deterrent for a lot of “no so talented thieves”. It’s true, but remember what we said earlier, as a master thief, this fella knows his craft really well and no one should feel safe.

So what can you do to protect from this robbery? Well, there are few ways to do it. For instance, you can send him elsewhere. In a way of — not making him select your castle as a target in the first place. But how to do it?

The real security is a well-played deception.

This notion of being “tagged” by excessive measures of security, is as you can probably already imagine, tied not only to the Middle Ages. For example, the modern security systems in various kinds, spread all over the Internet. Say you want your system to be well protected against hacker attacks, what do you do? There are some examples, inspired mainly by observing nature’s anti-predator adaptation systems.

Crypsis

Crypsis is the ability of an organism to avoid observation or detection by other organisms. It’s easier for a predator to spot what’s on the foreground rather than on the background. A chameleon for instance has mastered the ability to blend into the background. He’s invisible for both, his pray and potential predators.

So make your system to look like the landscape from the outside, be the background, be undistinguishable. Just like in the Hollywood agent movies, build a system that looks like a normal home on the surcafe, but conceal the 2–3 store basement underground in which you keep all the goodies.

Now you seem me, now you don’t!

Throwing a bait

If it’s impossible to blend in to your surroundings, try a different strategy. Some species of lizard and squid (Octopoteuthis deletron) are ready to give up a part of oneself to save itself.

Create systems with false values, false databanks and dummy vaults. Once the system is breached, you give the attackers a false conviction that they got what they came for which may lower their awareness. But in reality, you just throw them a bone to make them occupied and use that time to react. Then you have time to react, run and hide or stand your ground and retaliate.

Octopoteuthis deletron, isn’t it a gorgeus little creature?

The behavioral

strategies

Beside the deception games, animals also use all the clever ways of manifesting strength to deter a predator. Or they often form a group to increase the overall security of an individual.

I’m so fit like

get a life bro.

The moment Gazelles feel danger, they almost automaticaly start to jump as high as they can, like crazy. This behavious is called stotting.

Stotting is about sending a message, it’s about shouting: “Hey, look at me, I’m so agile and quick, you won’t ever catch me looser”. The best part is, that it works. It deters predators, like lions or gepards from even bothering to chase the best stotters in a gazelle herd.

Think about the possible applications of this strategy to your network security. Get in the mind of your enemies, think about what combination of power / wit / foresight could deter them from even bothering to try to launch an attack on your system.

I’m just a show off, but it works.

Group living

Individuals within a species often form groups. Take for instance these meerkats. Well, they don’t just live together because it’s fun — but on the other hand it probably is! Thanks to complicated evolution processes, they instinctively know, that living in a group increases the overall security of an individual.

Having a common structure decreases the risk of attack for individuals living within the group and it increases the vigilance. The evolutionary advantage of this decreased risk is that the fitness of the individual increases. That’s why, smart companies introduce systems and procedures that standarize the security among all branches.

Suricata suricatta don’t look really clever…or do they?

As you see, thinking about security issues in a modern world can be influenced by what nature has been (succesfully) doing long before we, sentient humans came to existence.

Follow me on Twitter: @jjskora

I don’t claim any rights to the used pictures. All of the rights belong to respective owners.