There Is No "One Size Fits All" in Security

2017-06-19 - [46] 4:1

Every company and household is set up differently and has different needs. Some companies rely mostly on desktop computers while others rely mostly on servers. While one company might run Windows servers, another may run Linux or FreeBSD. Remote jobs have different requirements and risks than on site jobs. With different networking and system infrastructures come different security requirements.

Not every person or company needs to worry about the same threats as well. The family owned bank down the street needs to worry about defending against attackers trying to steal customer data or money, but probably don't need to worry about nation states. The person 2 doors down may need to defend their information from a potentially abusive ex-partner, but probably doesn't need to worry as much about a cyber crime syndicates trying to attack large companies.

Just like every system infrastructure is different, every threat model needs to be specialized to that infrastructure. It's not enough to just "Use Tor. Use Signal." Using good encryption is nice, but won't stop someone from breaking into the building or social engineering employees. Setting up antivirus is great, but won't stop someone from breaking into that toaster or coffee maker that's connected to the internet.

The intention of this blog post was not to scare people from being secure, but to bring up a point that there is no "One Size Fits All" solution. Information security is about identifying what you need to protect and finding ways to protect it. Every situation is a new puzzle, and while different puzzles may have some of the same pieces, every finished puzzle will be unique.