Security Corner

Sep 28 2013   6:20PM GMT

Minimum effective security

Ken Harthun Ken Harthun Profile: Ken Harthun

smartkey_locksviewcdNo matter how much we would like to think it’s possible, perfect security is unattainable. Install a moat and 40-foot high walls around your village and the enemy will use trebuchets to throw fireballs at you. Build a stronger lock and someone will come along with stronger bolt cutters. Install the latest firewall and IDS and hackers will use social engineering to attack you from inside the perimeter. No matter what security measures you employ, someone will come up with a way to defeat them. There is no such thing as perfect security.

There is, however, such a thing as effective security for a given situation, what I call Minimum Effective Security (MES). I define MES as follows:

Minimum Effective Security is that set of surveillance, barriers and countermeasures adequate to protect against known threats that could reasonably be expected to be leveled against the protected assets.

If you think about it, the key word here is “adequate.” But adequate against what? You have to identify the threats that you could reasonably expect given the value of the assets. So, you first have to establish the impact a successful attack would have: Minor inconvenience, or major loss?

You probably wouldn’t be too concerned about putting up video surveillance cameras to monitor your backyard tool shed nor would a perimeter wall be necessary. Depending on the value of the contents, you might want to install an inexpensive audible alarm and/or motion sensor lights. More than likely, however you’ll simply have good hinges and a strong hasp with a sturdy lock. Adequate.

On the other hand, you would equip your home with a robust, monitored security and fire detection system and you would probably have at least a camera at the main entrance.

How about your home network? You certainly don’t need an expensive commercial grade firewall and IDS; a good consumer grade NAT router with built-in firewall features would probably be adequate. Of course, keeping your system and applications up to date with security patches would have to be part of that mix to qualify as adequate security. Of course, you’ll want a good backup strategy.

If your home network is also part of your business, you’ll need a bit more than the above to qualify as adequate security. You would probably want to encrypt critical data and you’ll certainly want multiple backups with at least one stored offsite.

You get the idea. You have to take a good look at the types of threats you can reasonably expect given your circumstances and then work out what would be adequate. Naturally, there is nothing wrong with going beyond adequate; it won’t hurt a bit to put stronger measures in place if that makes you feel more comfortable.

Just make sure you always achieve and maintain Minimum Effective Security.

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: