Re-blog: Using Maths to Show that Automated Security Tools do not Provide Security

(Blog first appeared on nexor.com)

Automated security tools can be a very effective security tool, but there are pitfalls for the unwary. I will use a couple of well-known maths puzzles to illustrate why these pitfalls exist.

1 = 2

Most 16 year old maths students will be able to provide a convincing proof that 1 equals 2. The following variant courtesy of Wikipedia:

Before reading on, if you are home schooling due to Covid restrictions, see if your maths student can spot the “error” in the above. Each step, on its own, is mathematically correct.

You can only spot the “error” when you look at the bigger picture (or operational context): the transition from line 4 to 5 is a division by zero error, because by definition a = b, so a – b = 0.

1 + 2 + 3 + 4 … = -1/12

Things are not always that simple. It probably takes an undergraduate studying a mathematics course covering number theory to figure out what goes “wrong” here…

In other words, a proof that:

(See Wikipedia for an explanation). The issue comes between the two steps:

It is similar to the divide-by-zero “error”, but this time based on doing the scalar calculation on infinity. Four times infinity is still infinity, not something four times bigger.

As with the 1 = 2 case, to spot the problem, you need to look beyond the line by line maths and understand the bigger picture – the operational context.

Automated Tooling = Security?

To support gaining accreditation to cyber security standards like Cyber Essentials, many suppliers are bringing automated tools to market. In many cases they are really good tools.

These tools provide the equivalent of one, or multiple, lines of the above “proofs”.

As shown mathematically, this can lead to a false result – or a false sense of security. It is only when the results and operational context are analysed by a security professional can the true meaning of the tools results be understood and the company’s true security posture assessed.

So is this mathematic proof that “Automated Security Tools do not Provide Security?”

No, but it illustrates the point: to be secure you need to think about the whole system and how elements interact – a tool cannot do that for you.

ISO 27001 = Security?

ISO 27001 is an international standard that “provides best practice recommendations on information security management, risks and controls within the context of an overall information security management system (ISMS)”.

Some businesses choose to implement ISO 27001 as it is a market expectation in their chosen markets, while others choose to do so to improve the security posture of their business. The former may choose to use ISO 27001 as a checklist (Annex A) of things to show an auditor they have done everything – the challenge is this risks missing the bigger picture – the divide by zero assumption that means all the steps do not join up to a secure organisation.

So is this mathematic proof ISO 27001 that does not mean security?

No, but it illustrates the point: to be secure you need to think about the whole system and how it interacts; blindly following a line by line checklist will miss key evidence. There are plenty of ISO 27001 success stories, but these are obtained following a process of business improvement, not tick box compliance.

Avoiding errors with automated tools

My intention is not to discredit all automated security tools, but to encourage businesses to see them as part of a larger picture. The same big picture view also applies to an ISO 27001 checklist.

Automated tools and accreditations like ISO 27001 can be valuable additions to an organisation’s security setup, but they must be viewed in the context of the whole operational system. Seeing an automated tool as a complete solution in itself is likely to lead to the sort of errors that can make a maths student conclude that 1=2.