This is a really good article about how poor security products can appear to work, but actually increase the problem:
The article also links to a good article about the ACUTrust product (which no longer exists) http://ha.ckers.org/acutrust/ – which contains the following quote
“like most systems that use cryptography it is not a vulnerable algorithm, but the system that uses it is”
This really does bear repeating as many times as possible. Just because a product claims to use cryptography – most will claim to be using AES256 – doesn’t mean they’re using it in a way that makes the system secure. Cryptography is all too often a security panacea, a ‘buzzword’ that makes the user feel like they’re safe, but the importance is, as always, in the implementation.
One of the best examples of this sort of failure I’ve seen recently is this http://gizmodo.com/5602445/the-200-biometric-lock-versus-a-paperclip. The incredibly secure biometrics in the lock mean nothing if the manual lock can be opened with a paperclip. Adding a stronger mechanism to a weaker one does not strengthen the system.
So why does this sort of failure happen so frequently? It really happens because security practitioners, as well as the people who buy security products, often don’t see the big picture. Security is about people, and what people will do (or not do) to the systems that they are presented with. A classic example is enforcing a strict ‘strong’ password policy that means that users write down their password, and stick it to the monitor so they don’t forget it.
Security isn’t really about products, or technologies – those can be enablers, but it is about seeing where the weaknesses are, understanding the risks, and taking what measures are possible to ensure those risks are minimised. Buying into ‘hot’ products is not a reasonable investment if you don’t understand what you are buying and why you’re buying it.
I personally am coming to believe that the greatest failure of security over the last 20 years is that we have failed to understand that we are securing (for and against) people not technologies, and people do the strangest things.
AVIEN CEO / CTO K7 Computing
* Thanks to @securityninja for the original link