Security is everywhere

There are over two billion query results for Google "security"... it is mentioned everywhere and it has become a necessity in our lives, but do you: even realise it, know where, and when it is necessary, know where it starts and ends, and know what the hell it really is?

Security is not only the about protecting information or stopping the "bad guys" from getting in, it is, and probably more-so, about protecting you (and everything you have worked for). A rule to follow: do not confuse the following: compliance, privacy, surveillance, and security.

You?

Understand that without you, as a collective, any great achievement on this planet will not have occurred. You have done something for someone, provided a service, directly or indirectly, and this has resulted in a positive or negative outcome for you and someone else. Consider society, where you work, the country you live, family, friends, colleagues, acquaintances, and anyone else you interact. Your government needs you, or there will be no government. Your business needs you, or there will be no business. Your family, schools, universities, transport systems, builders, super markets, and engineers, they all need you. And you, you are a consumer, a provider, a contributor. Without you, we are nothing. So it stands to reason, you are the greatest asset, and therefore you require protection, and protection is often considered the same as security.

Realisation

What is valuable to you, your organisation, and your country? For you, it may be your assets. Your organisation, may be their intellectual property. And your country? It should be their people! (but it's probably economic status amongst world powers)

Security, simply, comes in many forms and it absolutely depends on who or what is implementing the security. Security for you probably means installing dead bolts and secure window screens on all externally facing potential entry points and obtaining home and contents insurance, hopefully preventing theft and damage to your goods, but transferring the risk to your insurance company in case your controls at home are compromised. Security for a card processing organisation may mean that credit card data, personally identifiable information and transaction information must not be compromised in any way/shape/form. That is there must be protections against attacks on non-repudiation, authentication and authorisation, fraud, and theft.

And security for your country? Well, look at the UK... cameras all over London watching your every move all in the name of security. Alternatively, think about the defence force for your country, and more closer to home, the local police. These are all meant to provide security against threats to your livelihood. Now, that is all just common knowledge. There's nothing creepy (well, continuous monitoring is...) about the above types of security.

What you may not realise is that, on the Internet, you are being watched, and this "watching" is all in the name of security. When you purchase goods online, you are profiled to help prevent fraudulent transactions. When you check your items shipped via courier/post, you are being profiled... this profiling is essentially the gathering of metadata, data which does not detail exactly what you did, but it can generally be easily reconstructed to determine exactly what you did.

So how does metadata fit into security? A very simple example is the URL you entered to access this web-page is metadata. It does not detail exactly what you saw when you accessed the page, but that you accessed the page. Someone who had access to this metadata could use it to determine that you read an article about security... even though the content may have changed between when you accessed this site and when the "snoop" accessed the site. Security, for you, should encompass the protection of your metadata. It defines where and when you have been somewhere, who you have spoken to, but it does not detail what you saw, heard, discussed, or consumed. So now you should start realising that everything you do can be attributed back to you in some way or another.

"Security" is everywhere.

The Necessity

Security in the final example above is generally not necessary. For the rest, there is a direct correlation between value, goods, and people and security should rightfully be implemented. The final example is a giant can of worms, a political hot potato, and the general thought is that metadata collection is surveillance. See https://search.wikileaks.org/?q=metadata for some interesting reading on metadata collection.

Surveillance is not necessary, and it most definitely is not security. Surveillance assists in the cases where there is a direct threat and direct knowledge of exactly who, what, where, when, and why something is being monitored. Otherwise, metadata collection is a surveillance tactic that does not assist in security for us or our country (but we may be told otherwise), and the majority of us should agree that surveillance is not nice, necessary, needed, or wanted.

Security, in short, is required to protect you, your assets, your organisation, your intellectual property, and your country. To what level is it necessary? That is entirely subjective, there is no hard and fast rule for implementing security. Judgement calls are made, information assessed and levels of security decided upon by the primary stakeholders for the assets in question.

Starts... ends?

Security starts with you, funnily enough, it ends with you. When you give up, you lose your rights to free speech and freedom. It is often stated that security awareness training in an organisation is key to ensuring the security of your organisation. Without security awareness training, your staff will not know what is acceptable and secure behaviour and will have a higher likelihood of clicking that email offering them a free iPhone. Even the best patched and secured systems can be bypassed by a person who is motivated enough to bypass the security controls because the controls are cumbersome and annoying. If you start acting insecurely, the things with which you interact will become inherently insecure.

Security, so what the hell is it?

Security is the protection of an object from harm (loss) against it. If a policy or decision is not protecting something from harm, well, you are not implementing security. To clarify, security controls, such as insurance, can be utilised to reduce the impact of harm against an object. That is, insurance transfers the risk of harm to a third party so that you do not have to spend more resources than that which your are attempting to protect. Implementing a $150,000 security system on your home to protect $100,000 worth of assets is financially absurd. There is more sense in obtaining an insurance policy to cover the replacement cost of your $100,000 worth of assets. This is security through transfer of risk to mitigate loss. Security is your seatbelt and air-bag in your car to protect you from serious harm in the event of an accident. Security is the password and authentication controls on your e-mail account to prevent anyone from reading your private conversations. To implement security effectively you must assess the threats.