In this world we live in today, there are many issues that hit in the security realm but I'm astonished at how the same issues keep coming up so I feel it's necessary to go over them as best I can.  Some things may shock you, freak you out, piss you off and generally make you think I'm full of it.  That's ok, I welcome it!

When I first started writing this, I realized there's a lot to to cover, so I am going to make this a multi-part posting.  It won't be geek-cool in a lot of places, nor will it be super exciting but informative and thought provoking.  I will attempt to the best I can to cover points, counter points, countermeasures and realistic expectations.  Some of them will be overlapping, cross referencing, contradicting and downright confusing but stick with it, at the end it should make sense ...sort of.  So let's drive right into it.

Security is really risk management, not necessarily protection or what we typically think of as being safe.  It seems backwards, but it's true.  For this to make any bit of sense, I'm going to use a house as an example, your house.  Look around your house and think about what keeps people out, where they keep people out and how it keeps those people out.  How does it let people in?

Quick observations would show a front door that has a lock, maybe even a deadbolt, windows with locks, some lights for the front, perhaps motion activated and maybe a garage door with internal access.  Those are the obvious, but what about the less obvious?  How about dogs (detectors), a safe (heavy protection), internal door locks (light protection)?  What is even less obvious ...what about you (security policy) and anyone that lives in the house?  There's a lot of things going on and I haven't even got to the point where someone wants in!  Now, say someone comes up to the front door, knocks (makes a request) -- does that person get in immediately?  The first reaction is "no! of course not!" -- What about big gatherings during the summer say a graduation or retirement?  Enter the all mighty "It depends".

"It depends" will get used often, but for good reason - it refers to the policy and the decisions based on that policy.  We all have them in some capacity but we don't think about it much, it just happens.  For example: grandma comes over.  Grandma knocks or you see her coming, you open the door, let her in and she is now inside.  Is grandma now part of the internal policy? YES!  How?  Grandma can let people in, open/unlock doors, windows, and overall apply her own policy.  Now, I don't mean to pick on grandma, but if someone comes to the front door with a big smile and says they know you or your family, do you think grandma will be the first to say "no!" ...maybe not, and that could be a problem depending on who it is.  Instead, if grandma goes to answer the door, without thinking you policy her policy -- "Who is it grandma?" and await a reply (request) of who it is.  If that person is unknown or something isn't quite right, you go and check it out (authenticate).  This also varies with the type of neighborhood, where you grew up, where grandma grew up and so on.  If you live in a downtown area, more likely than not you'll look out your peep hole before you open the door whereas if you live out in the country, you might just yell "come in!".

I'm going to take this to the extreme.  Let's say the house is "high" security.  Cameras, bullet proof glass, steel reinforced doors, heavily armed guards (with guard dogs!), iron gates, laser turrets with a large open, unobstructed lawn surrounding the house (seriously, you didn't think that was just for looks did you?) -- and grandma comes over.  In and of itself, grandma's way of getting in is the same -- a request is made and once inside she can apply her own policy, albiet less dramatic, still can cause problems.

Same goes for every type of security.  Security in this context does not mean protection necessarily it means management of realistic risk.  Take the first example -- most people feel perfectly comfortable and "safe" inside their home, as they should, but does that -really- stop someone from entering?  NO!  The second example with the extreme (insane) security doesn't either.  It's the amount of effort required for someone unauthorized to enter and wreak havok come for a visit. 

"How do you figure?  You mean to tell me that my family isn't as important as someone in a stupid crazy high security compound?" NO! and this is where it gets really interesting, at least I think so anyway.  I'm going to use another set of examples.  First up, a business of 50 employees.  They are in the (yep, I'm goin there) widget business.  They're not big enough to have a full IT staff, and more importantly, it isn't their business, but they do just fine.  Another business, Flashing 12 Inc has 50,000 employees across 24 countries and has a full, robust IT staff but like Widget Express, they're not in the business of IT.  Each has a laptop stolen with "personal information" -- by law, this must be reported and both companies report it stolen.  Which company is effected more?  Widget Express.  As a matter of fact, because of the stolen laptop, the company goes bankrupt from all the bad press, lost business and cost to cover the breach - the other company can.

So what am I getting at?  Widget Express can't handle a major disruption, much like many families cannot handle someone coming in and stealing a bunch of their stuff.  Am I saying that every family should have a laser turret out front? As cool as that would be it's not practical; the cost does not justify the potential loss.  What can (should) be done is handle the areas that make sense.  Example: a lock on the front door, first floor windows are locked, lights are on and so on.  Easy, cost effective  things that will clearly make it more difficult or even better make enough noise to take notice.  Most importantly they must be maintained -- having the 2nd house but leaving the tunnel outside of the compound open makes all those fancy, flashy things WORTHLESS.

In the next post, I hope to break this down into smaller pieces and look at the aspects of security - risk management, potential loss, and a bunch of other stuff regarding the more physical aspect of security.