Is IT security just theatre?

By Leon Engelbrecht, ITWeb senior writer

Johannesburg, 23 May 2007

Too much of what is punted as IT security is just theatre, says security pundit Bruce Schneier.

Speaking on the sidelines of ITWeb's annual security summit this week, he said many security products did little more than make people think their systems and data was safe. In addition, people tend to overestimate small risks and underestimate big risks, such as cybercrime.

Furthermore, consumers tend to think of IT security as something special, rather than as a continuum. "All security is the same. Computers are just one more highly-technological, highly-specialised security issue."

In this regard, it is no different from home security, fitting an alarm to a car, or deciding whether it is safe to fly or visit a particular country.

"Security theatre is the name I've given to security that doesn't do anything. My favourite example is the Tylenol poisoning scare, some years ago, when someone took a bottle off the shelf, put poison in it and put the bottle back on the shelf," Schneier says.

"People were terrified, so the company that made it came up with something that basically saved their industry - the tamper-proof cap. It is a 100% security theatre. It does absolutely nothing. One can think of dozens of ways to bypass a tamperproof cap; I give you one - a syringe."

Configuration troubles

"What is out there in the information security market is a major problem with configurations. Firewalls are great. But the average firewall out there is not configured well. It is pretty much useless. So the theatre is much less the product and more the belief that 'oh, this is simple, just plug it in and it will work'. So you get the product, you plug it in; you think you're safe, but you're not."

There are lots of good firewalls, he says, adding that at one stage there was about 1 000 on the market.

"But the ones that survived, the ones that thrived were not the best ones but the easy ones... because what happens in a market when you can't judge a product on the merits, because you don't have the knowledge, is you fall back on the easy criteria - how easy is it to install, for example," Schneier says. "It doesn't say how good it is, but those are the criteria people use."

People overdo and underdo security, Schneier avers. "I used to pooh-pooh this. I used to say there is security reality and security theatre. Reality security makes you safe; security theatre makes you think you are safe. Security theatre is stupid, I used to say. I was na"ive, I was wrong."