Careers & People
6/28/2017
11:30 AM
Lysa Myers
Lysa Myers
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Defining Security: The Difference Between Safety & Privacy

Words matter, especially if you are making a case for new security measures, state-of-the-art technology or personnel.

Have you ever had a moment where you were reading something and suddenly doubted your comprehension of a particular word? I had this experience recently, about the meaning of the word "security." As someone whose job title includes security, it was a particularly perplexing moment. At the same time, it cleared up a lot of confusion I’ve had about how security is viewed by its various constituencies.

For most of us, our first introduction to the concept of security is in the physical realm –   perhaps in a contact with security guard or a security checkpoint. The former is like a monitor whose job is to stop dangerous things already happening. The latter is more active – in a search to exclude suspicious or dangerous people or things.

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

The more active type of security checks are being used with increasing frequency to improve public safety, but this is leading a lot of people to feel more vulnerable. Computer security tips caution people not to leave our devices in places that are out of our sight or control, and not to give strangers access to our devices because these actions increase risk. It could be argued that when something increases the risk of theft of devices or data, it should not be called security.

These checkpoints and their digital equivalents exist on a spectrum from "easily acceptable to everyone" to "most people find it intrusive" depending on a few different factors that aren’t necessarily intuitive or obvious.

There are a few questions that help clarify where security lies on the intuitive to obvious spectrum:

  • Is the area being secured a private residence or business?
  • If the secured area is public: are you inspecting everyone and everything and removing whatever or whomever could be considered suspicious? Or are you checking a list for specifically dangerous people or items?
  • Are the criteria fairly decided and equally applied? Are there effective methods to correct the list quickly if there are errors or omissions?
  • Are records kept of everyone or everything that entered or exited this area?

Let’s take a bank as an example: People generally consider a bank with strong security a very positive thing. It is a private business, but one that anyone should be able to access to a certain extent. You expect that security measures will be increasingly exclusive the closer to the vault you get. Security measures that happen at the front door should primarily be passive monitoring. Access to areas behind the teller’s desk should be fairly limited. And access to the bank vault itself should be both extremely exclusive and closely monitored.

The more you stick to a blacklist approach – quickly excluding only those items or people that are predetermined to be dangerous, and logging only the positive detections – the less privacy and control are compromised. While this approach risks letting previously unknown, dangerous things or people through, the alternative isn’t exactly foolproof either. And while logging can be used to help keep everyone honest, measures must be taken to keep that information from being used maliciously.

Any time people are asked to forfeit privacy or control, it increases vulnerability. And an increase in vulnerability is a decrease in our personal security. But to achieve perfect security would require us to live in a fortified box that allowed no connection with other people. Because we homo sapiens are social animals, this vulnerability is not always negative, but it is something we should enter into with our eyes wide open.

Time to Define Terms
I would argue that there are two distinct definitions of the word security in the digital sense. There is the definition that is closer in meaning to "safety," defined as protected from danger. And there is the definition that is closer to "privacy," meaning free from being observed. Both definitions imply mitigating risk, but in diametrically opposite and often incompatible ways.

One might think that a language with around 250,000 distinct words would have enough choices that we could have enough specificity to clarify our exact meaning, but advances in technology seem to be forcing us to use existing words in very different ways. This is nothing new, though the pace of this change is accelerating.

I wish I could wave a wand and put everyone on the same page with the way the word security is used. But I realize that this ship has already sailed, and the metaphorical boat is probably rapidly approaching Point Nemo. My more realistic wish is that – especially during contentious discussions – we consider the possibility that someone may be operating with a different definition.

If you have an uphill battle ahead of you to convince someone to adopt security measures, or to allocate budget for security purchases or personnel, it might be useful to clarify what sort of security you intend to provide.

Related Content:

 

Lysa Myers began her tenure in malware research labs in the weeks before the Melissa virus outbreak in 1999. She has watched both the malware landscape and the security technologies used to prevent threats from growing and changing dramatically. Because keeping up with all ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
6/30/2017 | 12:51:40 PM
The Popularity of Privacy Over Security
I credit this confusion some folks have (not just outside the industry but inside, too) between the definitions of these two words to the very successful campaigns of groups like the Free Software Foundation and Electronic Frontier Foundation.  Encouraging encryption, the use of tools like PGP/GnuPG and leveraging the legal genius of folks like Eben Moglen (Software Freedom Law Center) successfully framed a dialog about "privacy" that slowly became part of the popular consciousness, eventually inseparable from our conversation about "security" because the tools to secure both often were the same, or overlapped.  I like these folks, so I'm not saying what they do isn't important but it still contributed to this confusion, IMHO.

Stories about folks like Aaron Swartz (R.I.P.), Ed Snowden and Julian Assange also then became more about the "privacy" discussion than "security" when, in many cases, it really should have started with a discussion about security.  I'm not taking a stance against privacy, or making a comment for or against these folks or organizations like Anonymous.  Rather, I'm pointing to the evolution of how we as consumers of word meaning and media stories got here.  I also see a lot of credit going to the tech legal eagles who have fought hard to blur lines to secure rights to "privacy" for the individual but also (not intentionally, I'm sure) threatening "security" in the process by 1) causing this confusion in meaning and 2) putting "privacy" as a proposed "right" before the rights of all consumers to have access to "security" in the products they use, the transactions they make, the information they obtain.

I think this is not just about defining each word clearly when defining your project or selling a solution, but it is also about making sure the frenzy behind "privacy" doesn't put your "security" project at risk, a situation I'm sure many an Enterprise Desktop, Mobile and Email security team has run into.

 

 
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: No, no, no! Have a Unix CRON do the pop-up reminders!
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.