Since I’m writing about security on a website with the word “security” in the domain name, I should probably start off by defining my terms, eh?
Most definitions of the word contain something like this:
security / sɪˈkyʊər ɪ ti / freedom from danger or riskThis definition is, unfortunately, largely nonsense. There is no way you can be free from danger or risk, even if you’ve locked yourself in a padded Faraday cage. You can minimize risk or danger, but you can never be free from it. Let’s take a look at a few different kinds of security to see if we can’t nail down an acceptable meaning.
OPSEC
OPSEC (OPerations SECurity) is a term often used in the military to describe a process of denying the enemy operational intelligence. Think: “loose lips sink ships.” Don’t talk about an upcoming deployment in a coffee shop where unknown ears might be listening. When calling home from a war zone, don’t talk about specifics with family members; they may not be as tuned into security as you are and might blab to someone else who might blab to someone else who is almost definitely a North Korean terrorist mastermind. Be careful of taking photos while on operations; digital photos taken on smartphones can contain embedded EXIF (Exchangeable Image File) data which can store information such as the type of phone used to take the picture, the time and date the photo was taken, and even GPS data. Needless to say, if an attacker can learn who took a picture, what the picture is of, and when/where the photo was taken, they have quite a bit of intelligence upon which to base an investigation or attack.
Although it should go without saying, if you’re stationed at a covert military base in the middle of the desert, don’t use your FitBit, Apple Watch, or Strava to track your jogs around the Tippy-Top-Secret flight line.
PERSEC
PERSEC (PERsonal SECurity) follows roughly the same idea as OPSEC, but with the emphasis more on the security of you and your loved ones rather than strictly operational secrecy. Have you ever gone to the mall and seen a sticker on the back of someone’s minivan with all their children’s names, what size (and how many) dog(s) they have, and what soccer/gymnastics team their kids are on? Oh, and don’t forget that their child is an honor student at _________ school. Given enough information like this, it certainly wouldn’t be hard to track down when and where their sports team is holding a match or what sort of canines might be expected, should one wish to break into their home while they’re away at those games. The amount of actionable intelligence I can glean from some people’s vehicles would curl your toes. And it should. Good thing I’m a Good Guy™.
Cybersecurity
While I intend to talk about all different aspects of security as a whole here, professionally, I am primarily concerned with cyber/information security. Merriam-Webster defines cybersecurity thusly: measures taken to protect a computer or computer system (as on the Internet) against unauthorized access or attack. Cisco says cybersecurity is the practice of protecting systems, networks, and programs from digital attacks. All in all, not bad.
One aspect of cybersecurity that should concern everyone is the theft of PII [Personally Identifiable Information]. Examples of PII include, but are not limited to: name, email address, physical address, birthday, place of birth, sexual orientation, IP address, phone number, geocoordinates, license plate, medical records, biometric information, credit/debit card numbers, pictures, operating system, social media usernames/handles, relationships, occupation, and hobbies. PII can be stolen by dumpster diving (literally going through your trash), intercepting unsecured internet activities, phishing, social media, or social engineering. One bit of information by itself may not provide much leverage, but several woven together can allow malicious actors to steal your identity, open fraudulent financial accounts in your name, or ruin your reputation.
Conclusion
Here’s my thought: Security is (basically) an illusion.
The feeling of being safe is just that… a feeling. It’s an emotional response to the (likely incorrect) presumption that one is free from danger or risk (which always exists). Instead of thinking of security as the absence of danger or risk, maybe it makes more sense to think of it in terms of mitigating (i.e., lessening) danger or risk. I divide risk into roughly two categories at a high level:
- Possible: Something that is not impossible
- Probable: Something that is not only possible, but somewhat likely (how “likely” is defined is another conversation)
In the martial arts world, we sometimes talk about personal security. Possible/Probable work quite well here, too. Yes, it’s possible that I might be attacked by a horde of sword-wielding ninjæ on my way to the food court. But it’s not probable (outside of a Sho Kosugi movie). What’s the ROI on me spending hours upon hours training to dispatch such an ill-tempered ninja horde (likely in front of the Panda Express)? In my estimation, it’s pretty much zero. Knowing the difference between probable and possible can save you a lot of time and heartache when it comes to securing yourself, your systems, and your data.
