Archive 6 min read

Cybersecurity Basics #12 - Bolt-on vs Built-in

Built-in security is always best. That's "security by design", but when that fails (due to mistakes, oversight, humans), built-in security steps up...or, um, in.

Cybersecurity Basics #12 - Bolt-on vs Built-in

Watch this episode on YouTube.

Reasonably Accurate 馃馃 Transcript

Morning everybody. How you doing today? Um Thanks for joining in the show again. We're going to continue with the cybersecurity um basics series, which is actually coming to a temporary pause or an end because I think we've covered a lot of the basics so far, which is great.

Um If you uh have another topic, you want me to hit up uh in the basics line, just uh talk to me online at marknca uh on most social down in the comments below in the vlog. And as always by email for the podcast listeners.

So today I want to talk about something that applies to both personal so individuals as well as people in cybersecurity or in it in general. And this is a concept of bolt on versus built in security. So these are not official terms, but you see them use relatively often and they refer to a couple design, let's say choices to be generous because it's Friday and we want to be nice to people.

And so a lot of security products that you're using are going to be bolt on. And that essentially means exactly what it sounds like is that they are not part of the original thing that you are protecting. So you have a system and you've added something additionally on top of it.

I'm trying to think of a real world physical analogy. It's kind of tricky, but I'll give you the contrast to give you a better idea. So let's say actually, I'll give you, here we go. This just came to me, I was thinking about sports ball, as you can see for those of you on the vlog, my shirt, I've got my great sports ball shirt on.

So a bike, normal bicycle has a number of security features and that will tackle in a second. But there is one bolt on after the fact is your helmet, your bike helmet is a bolt on. There is nothing on the bike inherently to protect the rider's head.

So we have created a new product called the bicycle helmet that you will then put on your head. And that is a bolt on security control, right? So that's a bolt on feature or some action that we are using to protect. Ok. So that's a security that's bolt on security.

The contrast, the flip side of that is built in security. So built into the bike for security is the braking system. The braking system is built in to slow the bike down to increase safety and security, right? So that's a real world analogy.

Bolt on the helmet built in the brakes. So you think about this in the cyber world. So if we look at something like let's say Windows Windows 10, which I was using last night and I could not believe it. It's been a long time since I've used Windows for an extended period of time and I was kind of shocked at a bunch of things.

That's another blog I'm sure and rant to be determined. So for Windows, there's a number of security features that are built in. So your account that's a built in feature user, there's something called U A or us access control and that's the prompt you get when you're trying to install software or the software that you are running is trying to take an additional action and the screen kind of fades out and it pops up and says, hey, you know, this installer needs additional permissions, yes or no, confirm or deny that kind of thing.

That's elevating your privilege. That's a built in security control. It says you as a normal user aren't allowed to do these things unless you have specific extra permission to do it. User access control. And that is built in security bolt on would be anti malware.

So anti malware software stops bad things from running, right? Malware is as we know from earlier in the series is software with malicious intent or something you're just not intending to do in your system. So anti malware stops that type of software from running.

Um And that's bolt on because if it was built in, we wouldn't need it right. It would just be better operating system design. So in this case, bolt on controls are augmenting the built in design um in order to do things better. But the challenge you get is that it's always better, it's 100% better undeniably to be built in than bolt on.

I say that working in the security industry for a vendor who sells bolt on products. The reason why I can say that with a straight face, I think I have, I have a straight face is that if we could build better secure by default privacy by default enabled products, we wouldn't have all these additional security controls.

After the fact, we would have maybe verification and assurance and things like that that are different. But the reality is people make mistakes. These systems are super complicated and bolt on controls, give you a third party or an external view to make sure.

So the argument is pretty straightforward is that if somebody built a product that has security vulnerabilities and hopefully they fix that and reduce that and everybody does this. You know, it's just human nature, we make mistakes, we move quickly, things break or unintended consequences of complex systems is a whole theory of computer science down there.

Um So mistakes happen and bolt on security controls can help mitigate the risks by those mistakes. I mean, provide additional controls that weren't necessarily possible or they can help solve multi product problems. So if you think about malware and anti malware controls on whatever system you're defending, obviously, there was an issue where malware could run.

So having a third party that is monitoring for malware is a smart move, right? Because you've got the assurance that it's a third party. It's not the original people who had the oversight or made the mistake that created the vulnerability that malware could take advantage of.

It's a third party that hopefully you trust who's doing that. So that's bolt on and that makes sense. However, for some basic security controls, you know, built in is where you want to be. And in general, built in, we want as many built in as possible because that will reduce the over the load of a bolt on control because a bolt on control by nature is external, right?

It's something outside of the product that you're actually trying to protect or the system you're trying to protect. So there's a cost there. Sometimes it's actual financial cost, you're outlay. Sometimes it's what we call operational cost or just the amount of effort it takes to run that.

So you need to make sure it's up to date, you need to make sure it's on and active, you need to make sure that it's patched and up to date because there could be problems, security problems with it. So there's what we call that actual outlay cost and then there's an operational burden or operational cost.

And so anytime you bolt on, you're dealing with that as well. So you want to make sure that when you are adding a bolt on control, that it is worth the trade off. And for anti malware, obviously, it very much is, but then there's a whole host of other security controls that you're going to hear about that.

Um May or may not be worth it depending on the situation that you're in. So that's built in versus bolt on. Um by default built in is absolutely where we want to focus the vast majority of our, of our efforts when we're building systems.

Um But because we as consumers or we as businesses who have bought things, um you can't affect directly how that thing was built. So that's why we have bolt on. We, we add on, bolted on controls and security protections to make sure that the mistakes which are inevitable they are going to happen um are covered and that we're not put at unnecessary risk.

What do you think? Let me know um your thoughts on Bolton versus built in, hit me up online at marknca for those of you on the blogs in the comments down below and as always by email, I very much appreciate you guys uh watching the show, follow me along all the comments I try to get to, I read, at the very least I try to reply to everybody because this is what drives the show.

Um, I hope you are set up for a fantastic Friday and a great long weekend. Um, and I will talk to you on the show on Monday and online. Uh, today. Take care.

Read next