5 examples of security theater and how to spot them

Security theater. Cargo cult security. Pick your favorite metaphor. They both mean the same thing–hand-wavey “OH MY GOD WE’VE GOT TO DO SOMETHING” even if the something in question does nothing to improve security, costs insane amounts of money, and wastes everyone’s time and energy.

Bruce Schneier, the well-known security expert, coined the term “security theater“.  His inspiration? The US Transportation Security Administration (TSA). Wasting billions of dollars a year on pointless and invasive airport screening post-9/11 satisfied our emotional need to do something but did not, and does not, make us any safer.

Likewise, cargo cult security is more common in cybersecurity than you might think. The Polynesian cargo cults were newly discovered South Pacific tribes who were so awed by airplanes, and the Western food that arrived in said aircraft, that they built life-sized model airplanes out of sticks, thinking doing so would bring more food. Are you so much smarter? Maybe not. Today technology is so advanced that we are all cargo cultists in one way or another. Going through the motions without understanding the “why” creeps quickly into cargo cult territory.

Finding and eliminating security theater and cargo cult security in your organization can be the difference between preventing a business-destroying data breach and staying afloat until the pandemic is over. Here are some dramatis personae to look for in your security budget.

Bad security awareness training

Done well, security awareness training can help make your organization more secure. Done badly, it’s a waste of everyone’s time that can make employees dismissive of security concerns.

New employee? Better get a coffee so you don’t fall asleep during that mandatory hour-long security awareness video that has the same potency as an elephant tranquilizer. But hey, we gotta tick the “security awareness” box, right? We’ve done our due diligence. We’ve complied with the requirement to scold our new employees into being more security aware.

Security and compliance are not the same thing. Perfectly compliant businesses are breached all the time. Yes, security awareness for non-technical employees matters. It matters a lot. But if you don’t invest the resources into security awareness training that gets and keeps people’s attention, your ROI is going to be zero, and possibly a negative number. As in a complete waste.

Complex passwords no one can remember

Let’s end the password Kabuki theater, shall we?

Forcing employees to use a complex password with special characters in it means everyone is just going to add an exclamation point at the end of their existing password. This is why your accounts payable clerk has a yellow sticky note on their cubicle wall with their password on it. They just want to get their job done, and you’re making it harder for them with no discernible improvement to security.

Passwords need to be easy for people to remember and hard for computers to guess, not the other way around. Even NIST agrees:

“Highly complex memorized secrets introduce a new potential vulnerability: They are less likely to be memorable, and it is more likely that they will be written down or stored electronically in an unsafe manner. While these practices are not necessarily vulnerable, statistically some methods of recording such secrets will be. This is an additional motivation not to require excessively long or complex memorized secrets.”

NIST also encourages a move to passphrases up to 64 characters long. Passphrases, such as those generated by diceware, are easier to memorize and can offer as much or more entropy as as shorter, but harder to memorize, password like “*%&*^%&yuiyiu*&%&*”. NIST also calls for an end to mandatory 90-day password rotation unless there’s evidence the password has been compromised.

Poorly thought-out password requirements are a classic case of cargo cult security without a proper understanding of the “why”. There is a time and place for intuition in the presence of the unknown, but good password practices have long since left the realm of art for hard science. We know what to do, and NIST wrote it down for us. Do that.

Third-party questionnaires

“Hey there vendor mine, are you committing gross negligence that could lead to a data breach? What’s that you say? No? Great news! Thanks for answering my security questionnaire!”

Security questionnaires bounce back and forth between organizations and vendors, and increasingly cybersecurity insurance companies, like a ping pong ball at the Olympics. They may be great for establishing legal liability if you want to sue someone down the line but won’t do much to prevent a breach.

Would you rather be secure or be able to pass the buck and sue someone down the line because they lied on a security questionnaire?

Security questionnaires are more of an exercise in “how little lying can we get away with” than an actual effort to secure anything. Maybe your legal department forces you to do them, or maybe it just makes you feel all warm and fuzzy inside, but it ain’t going to do much to make your organization more secure. Actual security requires laser focus elsewhere on known, quantified measures proven to work.

Checkbox compliance

You bought a security thing because the compliance people said you had to. Tickbox bingo! Hurray! No need to configure it properly or spend time maintaining it. You didn’t buy it to become more secure and didn’t even bother to understand how it works. That’s like buying a pair of fur mittens to take to the South Pole and then never wearing them. Why did your hands fall off from frostbite? We may never know.

Compliance is not security. This could be a mantra while meditating at home during self-isolation. Breathe in, exhale. “Compliance is not securityyyyyyyy….Compliance is not securityyyyyyyy….Compliance is not securityyyyyyyy….”

Ensuring minimum due diligence required by regulatory compliance may save your organization from legal peril, but if that’s all you do, then your company remains at severe risk of breach peril.

Over-reliance on antivirus

You’ve got antivirus installed on all your office workstations. You can rest easy now. Everything is secure. Job done. Time to head down to the pub for a pint, amirite. Right?

There may have a been a day, lost in the misty haze of the paleolithic internet, when antivirus did something useful. Those days are gone. The continued reliance on antivirus in the enterprise is questionable at best, and if trusted too much actively harmful.

Savvy attackers targeting your organization can get around your antivirus product. Should you stop using antivirus? Probably not, but if you think a flyswatter can take down a F-16, then you have bigger problems.

Antivirus had its day. Its dwindling utility should put your focus on other, more active attempts at defense.

The antidote to security theater

We human beings pride ourselves on our ability to reason, but the truth is we use our brains nine times out of ten to justify what our gut wants, not what is rational to do. In security this is fatal. Seeing what you want to see, and failing to understand the why and the how, is the modern equivalent of building a life-sized replica of a 1930s airplane out of palm fronds in the hope it will suddenly produce more Spam. (The yummy salty meat concoction, that is, not ads for Viagra.)

You cannot break security if you do not understand a system better than the people who made the system, and you cannot defend your organization if you do not understand how those systems work to the same degree.

Anything less is superstition, security theater, a cargo cult.