What is security theater?

With cyber attacks happening every 39 seconds, and a data breach costing $3.9 million on average, organizations are making cybersecurity their top priority and investing more of their budget into technologies that protect their assets. But are their efforts fruitful? Do firewalls and antivirus software protect against cyber threats, or are they merely a redundant budget expense?

And should we really be satisfied when we see “Your computer is free from malware!” pop up on our screen, or are we being naïve? Does that provide any true insight into cyber risks?

Many of the security protocols and measures enforced by organizations today are inadequate when it comes to thwarting future cyberattacks. Organizations that fail to review the reliability and effectiveness of their cybersecurity approach remain vulnerable to malware and data breaches.

The first thing we need to ask ourselves is: Are we investing in measures that provide us with a superficial sense of security, or do they truly defend us against security risks?

This is why understanding the concept of “security theater” can help us.

What is security theater?

“Security is both a feeling and a reality. You can feel secure even though you’re not, and you can be secure even though you don’t feel it.”

— Bruce Schneier

The security theater concept was first introduced by computer security expert Bruce Schneier to describe actions and countermeasures that make people feel safer without actually improving their security.

Any real security process can be measured against the probability of various risks and the effectiveness of countermeasures. Security theater, on the other hand, is based on the psychological feeling of security. Because it’s predicated on emotional reaction only, people can feel secure even when they’re not. Consequently, security theater measures are often ineffective and act as a placebo for the public.

That doesn’t mean security theater measures don’t have any positive effects. One of cybersecurity’s biggest obstacles when spreading awareness is fear. The public’s fear of cyberattacks and various types of cybercrime is fueled by media campaigns that cover every security breach story and every hacking attempt with a call to panic. Security theater measures can relieve the average users’ stress towards cybersecurity, allowing them to assess threats more rationally.

On the other hand, a false sense of security can make people feel too comfortable, blinding them to threats that might actually exist.

Real-life security theater examples

Here are some examples of security procedures and measures that only provide the “feeling” of security:

• Having airport security confiscate liquids, when a terrorist can just as easily cause damage with solids
• Not allowing bottled water on flights due to volume check, but allowing flammable aftershave
• High-tech-looking body scanners that don’t perform any better than traditional ones
• Providing security guards with guns that are loaded with blanks
• Surveillance cameras with such low-quality image capability that they can’t actually capture anything
• Telling people to report all suspicious activity, which does little but increase fear and helplessness and make us suspicious of each other
• Enforcing building security with ID badges that a criminal can easily copy
• Marking homes and cars with stickers that announce protection by a video surveillance or advanced anti-theft system

While, yes, some of these measures can increase security — warning stickers on homes can repel a thief — in most cases, they can be easily sidestepped. And how about the measures that are considered security theater in many organizations’ security policies?

Are you practicing security theater?

Post 9/11 airport security and TSA effectiveness are prime examples of the concept of security theater, and it doesn’t stop just there: flashy examples of false security are paraded all around us, especially in cybersecurity.

Companies aware of the dangers of data breaches and cyber attacks invest large sums of money in technologies and software they think will protect their system and network. But how do you differentiate between the measures and policies that are just for show and those that actually help you detect, prevent and contain data breaches and cyber attacks?

Let’s look at a few examples of security theater in cybersecurity.

Theatrical security training

Who doesn’t like watching a long, uninteresting PowerPoint presentation and a dull instructional video? Well, no one does. Human error remains the number one security risk for organizations but there still isn’t enough done to increase awareness and create security culture among employees.

Security training shouldn’t be a burden, or boring. Organizations need to rethink the way content and information in these trainings are presented; they need to be engaging and interactive while showing listeners how security benefits everyone and how they can help.

Complicated password requirements

Every organization has a password policy: how often employees need to change them, the number of characters required and, in general, the necessary complexity of passwords. In other words, companies make employees change their passwords every three months and request that they be overly complicated.

Passwords that are too complex will be impossible to remember. Without a password manager in place, people will likely write them down on scraps of paper, or use the same password over and over while simply changing the last digit.

Antivirus and antimalware software

Most of the organizations out there invest heavily in antimalware and antivirus software. While they do detect viruses and malware, they only go so far as to detect ones they know about or variants thereof. As soon as a new form of malware shows up, you’re defenseless.

Ironically, they’re also an inconvenience to employees, often harshly impacting CPU usage, causing reboot cycles and generally making everyone frustrated and less efficient. Not to mention that today’s crackers can easily detect the type of protection you’re using and bypass it. While we certainly shouldn’t eradicate all antimalware software, we should never let our guard down simply because we see the words “Your computer is free from malware” pop up on our screen.

Firewalls

Firewalls are another measure everyone takes, but they really aren’t that effective anymore. When first introduced, they were intended to block unauthorized connections — and they do that just fine. But that was twenty years ago. Today, the walls have been penetrated and firewalls don’t stand a chance against modern malware and cyber attacks. Today, the traditional firewalls on Windows systems often used in organizations don’t stand a chance, but we can hope that newer generations will provide more effective protection. Upgrading to new gen firewalls or using Unix or Linux systems could help you avoid relying on this classic security theater measure.

False positives and alert fatigue

Today’s organizations utilize several threat protection products which are plagued by the number of security alerts they send out. Security analysts are swamped with these alerts, many of which turn out to be false positives. Combine that with alert fatigue and you get potential threats that go ignored — a recipe for disaster, as we’ve seen in the Target case.

In 2014, due to the volume of alerts and false positives, the FireEye team alerted Target’s staff about the breach but the warnings were ignored. Seeing too many alerts, not prioritizing them and considering them without context gives off the appearance of “diligent security” while not providing the full security potential of an SOC.

Cloud is beyond the perimeter

During the last decade, on-premise systems have made way for cloud computing. And deployment to the cloud has remained — cloudy. The traditional approach to security is perimeter-based, and security tools that don’t possess deeper data on networking concepts leave too many backdoors open to attacks. Since the future of network security is in the cloud, security tools and solutions need to work with it as well as all network technologies. Also, having your infrastructure in the cloud itself will help you avoid many modern network threats.

Real cybersecurity vs. security theater

Real and effective cybersecurity measures employ a risk-based approach, and risk assessment is a vital component of good cybersecurity practices. It behooves you to identify all important digital assets, stay informed on the current state of cybersecurity and defenses in the organization, identify weak points and build your defenses accordingly.

The Internet of Things is bigger than ever and while the information stored on those devices is nothing short than highly sensitive, they aren’t always known for being secure. Manage IoT security to make sure you don’t any attack surface area points exposed for attackers.

Monitor privileged accounts and third-party access, enforce proper email security and raise awareness among employees; these are all highly effective cybersecurity practices. These procedures and practices might not be flashy, and maybe they won’t send everyone a message that says “We take security very seriously!,” but they will decrease your chances of becoming yet another data breach statistic.

Security theater, on the other hand, loves the stage. It consists mostly of technologies, tools and procedures that are only superficially effective in making your organization secure. It doesn’t take a risk-based approach, focusing instead on the appearance of security while failing to match up the measures with the sources of risk. You’ll be left with a gap in the budget and in the attack surface.

Conducting analysis to identify risks, mitigating threats and creating defense strategies are the only ways to trade in feeling secure for actually being secure.

Conclusion

Feeling and being are two different things, and their difference is greatly magnified when it comes to cybersecurity. While you shouldn’t delete all your antivirus solutions and throw away your password policies, understanding the limitations of these traditional security measures in the modern threat landscape, and knowing your weak spots, is crucial in being prepared for any of the threats out there.