Security theatre

Steve Riley of Microsoft is a controversial figure. Some believe he’s a hacker and others that he’s a social engineer. Having argument with him is very difficult. Steve’s got great mind and unique aility to inspire people, get them thinking about information security. Recently I have read about security theater in his newsgroup posting, in response to suggestion to rename Administrator account as a security measure:

Rename it back to “Administrator” and set a long passphrase on it.

Changing account names is just security theater. Names are intended to be
public, there is no mechanism in place to prevent discovery of names. So
don’t treat such elements as secrets. The secret in a set of credentials is
the password.

Other elements of security theatre are, according to Steve, port hiding (another unneeded change from the default, a bad sysadmin practice), and outbound traffic control on personal firewall. I couldn’t agree more. Too many times I have seen Windows guest account disabed and renamed…

The term security theater appears to be coined by Bruce Schneier. It’s great. Much better than security through obscurity  – meaning the same, leaves no space for argument. It’s spot-on. Security theatre is the best way to create problems for yourself while not creating those for potential intruders.

Leave a Reply

Your email address will not be published. Required fields are marked *