Insecurely Secure: A False Sense of Security
Security is an interesting subject that follows us from before our birth until the day we die. Our entire life is comprised of security, insecurity, and a false sense of security that often confuses the two.
- By Tyler Reguly
- Jul 01, 2019
As we celebrate the birth of our two nations — Canada Day in the north and Independence Day in the south — I can’t help but think about security or, more specifically, the lack thereof. Maybe it was the video game conference, EVE North, that I attended on the weekend and the discussions I had around security in a video game. It may have been the news reports surrounding Pride this past weekend, where attendees felt insecure in spite of being around those responsible for their safety and security. There’s a high likelihood that it’s tied to the two cities in Florida that have collectively spent $1.1 million paying to recover systems targeted by ransomware.
Security is an interesting subject that follows us from before our birth until the day we die. Our entire life is comprised of security, insecurity, and a false sense of security that often confuses the two. My sister is pregnant and the safety and security of my future niece is often a topic of discussion from my mother questioning if walkers are still safe, to determining if the car seat is expired (yes…car seats expire) and how to install it. I remember when I was younger, I had a favorite blanket that came everywhere with me. When, as an adult, I learned that my mom had thrown out the few ragged pieces that were left, I was still upset. That blanket had protected me from monsters in the closet and boogeymen under the bed. That was probably my first experience with a false sense of security, but it definitely wouldn’t be my last.
I can remember that the door had to be bolted and chained before bed, but windows were left wide open to combat the warm summer nights. I remember a job in high school, where I was responsible for adjusting the front of house lights in a theatre from catwalks, and the supervisor said, ‘There’s a safety harness, but it’s sized for me and won’t work for any of you.’ How many people have heard the story that rear windows in cars only go down part way to prevent children from jumping out? The reality is that there simply isn’t room in the door for the window to go down further. I bet you, however, that there are people who felt safer thinking the car designers were considering the safety of their children. It’s that false sense of security that guides so much of our lives.
On top of my day job of performing security research, I spend my evenings watching and reviewing films. Have you ever wondered why horror movies scare us? Sometimes it’s the jump scares, we’re just not expecting to be startled at that moment, but a lot of the time, with psychological and supernatural horror, it’s because we feel unsafe. Instead of a false sense of security, we have a false sense of insecurity. It’s why we cling tightly to the person next to us watching the movie, why we triple check the locks on our doors, and, in our 30s and 40s, still look under the bed after a scary movie. These actions don’t make us safer, but they counter that false sense of insecurity that we feel.
What does this have to do with the celebrations occurring in two neighboring countries? It’s important to remember those times in your life when you’ve been both secure and insecure…to remember when you had a false sense of security or insecurity. Whether you are secure or have a false sense of security, you feel better, you feel safer. Just as being insecure and unsafe make you feel just as bad as that false sense of insecurity. That’s why it’s important to consider the viewpoint of others to understand why they feel a certain way. What you see as security may in fact be a false sense of security and what you see as a false sense of insecurity may be actual insecurity. It’s going on all around us in every aspect of life, but let’s take a look at a few of the more relevant examples.
When a municipality is hacked and we see ransomware attacks, we see organizations that may have thought they were secure. Maybe they met all the checkmarks on a standard that said they were secure. Maybe they paid attention to one subset of risks without considering the bigger picture. Sometimes organizations focus on things they can’t fix, things they can’t change and overlook attack vectors that they can fix. They have a hard time recognizing security and a false sense of security.
At the video game conference this past weekend, I was asked how I vet the people I play with, how I ensure they won’t scam me in the game. People are shocked when I tell them that I don’t. They have complex checks that audit people’s mail, their conversations, their past history to determine if they can trust them. I’ve recognized that these checks only provide a false sense of security, so I see no value in performing them. This is a conclusion that translates nicely to the real world. A friend recently told me that his wife was almost taken advantage of by a car wrap scam. I had not heard of this, so I investigated and discovered that they post on job search sites with the ultimate ‘make easy money’ scheme. You sign up and they pay to have an advertising wrap put on your car. You get a check in the mail, deposit it, and pay for the car wrap. You pay for the car wrap by wiring the company performing the wrap (rather than paying them when you get the car wrapped). You later find out that the check is a fake when it bounces, but since you’ve already paid the company wrapping your car, you’re out money. The check has the name of a big business and you reached out to them, so it does a great job of creating a false sense of security.
We hear about it all the time. You hear about people selling their car privately. Someone comes by to look at it and asks to take it on a test drive. They just never come back and you slowly realize you handed your car keys to thieves. A lot of you are thinking, “Yeah, but that will never happen to me.” How true is that? How well can you recognize a false sense of security?
If you just celebrated Canada Day or are getting ready for Independence Day, ask yourself if you can recognize when you are really secure. As you’re watching fireworks or enjoying a BBQ, think about the things in your life where you feel safe or unsafe, secure or insecure. Have you evaluated what’s real and what isn’t? It’s not a thought process that many of us go through, but it’s a critical thinking exercise that gives us empathy and understanding. The first step in avoiding being scammed as an individual or hacked as a company is recognizing the parts of the process that give you a false sense of security. Once you identify them, you can do something about it. Then, maybe, you won’t find yourself paying hackers to save your system from ransomware.
Tyler Reguly is manager of security R&D at Tripwire, a leading global provider of security and compliance solutions for enterprises and industrial organizations.