Presumed security
Encyclopedia
Presumed security is a principle in security engineering
that a system is safe from attack due to an attacker assuming, on the basis of probability, that it is secure. Presumed security is the opposite of security through obscurity
. A system relying on security through obscurity may have actual security vulnerabilities, but its owners or designers deliberately make the system more complex in the hope that attackers are unable to find a flaw. Conversely a system relying on presumed security makes no attempt to address its security flaws, which may be publicly known, but instead relies upon potential attackers simply assuming that the target is not worth attacking. The reasons for an attacker to make this assumption may range from personal risk (the attacker believes the system owners can easily identify, capture and prosecute them) to technological knowledge (the attacker believes the system owners have sufficient knowledge of security techniques to ensure no flaws exist, rendering an attack moot).
Although this approach to security is implicitly understood by security professionals, it is rarely discussed or documented. The phrase "presumed security" appears to have been first coined by the security commentary website Zero Flaws. The article uses the Royal Military Academy Sandhurst
as an example, focusing on the apparent lack of entry security and contrasting it against the presumed security a military installation will have. The article also details the flaws inherent in a trust seal
such as the Verisign Secure Site seal, and explains why this presumed security approach is actually detrimental to an overall security posture.
Security engineering
Security engineering is a specialized field of engineering that focuses on the security aspects in the design of systems that need to be able to deal robustly with possible sources of disruption, ranging from natural disasters to malicious acts...
that a system is safe from attack due to an attacker assuming, on the basis of probability, that it is secure. Presumed security is the opposite of security through obscurity
Security through obscurity
Security through obscurity is a pejorative referring to a principle in security engineering, which attempts to use secrecy of design or implementation to provide security...
. A system relying on security through obscurity may have actual security vulnerabilities, but its owners or designers deliberately make the system more complex in the hope that attackers are unable to find a flaw. Conversely a system relying on presumed security makes no attempt to address its security flaws, which may be publicly known, but instead relies upon potential attackers simply assuming that the target is not worth attacking. The reasons for an attacker to make this assumption may range from personal risk (the attacker believes the system owners can easily identify, capture and prosecute them) to technological knowledge (the attacker believes the system owners have sufficient knowledge of security techniques to ensure no flaws exist, rendering an attack moot).
Although this approach to security is implicitly understood by security professionals, it is rarely discussed or documented. The phrase "presumed security" appears to have been first coined by the security commentary website Zero Flaws. The article uses the Royal Military Academy Sandhurst
Royal Military Academy Sandhurst
The Royal Military Academy Sandhurst , commonly known simply as Sandhurst, is a British Army officer initial training centre located in Sandhurst, Berkshire, England...
as an example, focusing on the apparent lack of entry security and contrasting it against the presumed security a military installation will have. The article also details the flaws inherent in a trust seal
Trust seal
A Trust seal is a seal awarded by proprietary companies to businesses to display, in an attempt to boost customer confidence. There are several well-known trust seals from different companies, and the requirements for the displaying merchant vary, but typically involve a dedication to good security...
such as the Verisign Secure Site seal, and explains why this presumed security approach is actually detrimental to an overall security posture.