As a long time security practitioner, it has become second nature for me to look for and find things that buck the norm – basically to find things that go against proper procedures. First before I begin my little story, I must share that everything I do to “buck the norm” is done professionally and ethically – I never do anything that would cross those boundaries (and I recommend you do the same). Now for my little story – please bear with me it does directly into security and more precisely how detective controls are far less effective as preventative controls.
At my son’s middle school, there is a proper way for visitors to enter the building – through the quasi man trap at the front of the school (North east corner on second floor for a reference point), then sign in to the automated badging system (if it works… and no there is no verification if info you enter in is remotely accurate but I digress) and then meet with the person(s) you went there to see. During normal school hours, this is the only door that is open to the outside world. One controlled entry point – not bad from a security perspective. Note they also have cameras on all their doors (there is that detective control we will be talking about) to monitor who is coming or going.
Now here is the problem during the early morning arrival time, there are many doors just left propped open – side door for walkers, front doors for bus riders, rear doors (southwest corner 1st floor for reference)for riders like my son, and many more. Nothing stops me from going into one of those doors – I have in fact entered the building outside of the “normal” way N times (N >13 – I counted thirteen times in the last two years but figured there was many more that I don’t remember). I have even walked from the back door to the main office (by the front door) and back on several occasions. Never once was I stopped and worse yet only rarely was I ever challenged. Giving the school the benefit of the doubt, I am well known by the staff there so they may give me more leeway than a “stranger” but the fact is I, by their policy, should not be entering any door but the front. Well the other day I went in to hand in an assignment (I had to show the teacher that what she marked wrong was indeed correct but that is not important) and later that night I got a nasty letter from the principal telling me I didn’t follow the procedures. It was really nice of them to catch me N times later.
Why did I make you sit through this boring story? Put simply I thought this was a perfect correlation to the real world of IT/Cyber Security – Would be security professionals, build what they think are good controls at one entry point and attempt to force all traffic through said entry point. They then begin to poke holes in their infrastructure where anyone can get in. At best they implement detective controls – just like the camera at the school; and just like the school detect the activity months/years later (at least N times later). Unfortunately, they are dealing with cooperative parents like me, they aren’t dealing with malicious attackers or worse nation states. Detective controls play their part in the security paradigm but they need to be teamed with preventative controls. Detective controls tell you who did it well after the event but do nothing to stop it. Preventive controls are necessary.
Detect < Prevent