You might think from all the posts I’ve done here and the classes I’ve taught about it that I love security. I do, sort of, and I hate it, sort of, too. I think this love-hate relationship is kind of healthy, though.
So why do I hate it? Well, like most people I like closure. I’d love to be able to say, “your system is secure” or “nobody can break into your network”. I can’t of course and frankly that’s seldom what people really want. What most people want is not to be attacked, or have their systems breached, or lose anything or whatever. Having perfect security is hard and in many cases impossible. One makes tradeoffs.
Consider your house: if you wanted you could put steel shutters on the windows, a large steel door at each external doorway, hire guards, deploy cameras and other things to protect it. The problem is, for the overwhelming majority of us, that’s overkill – the protection would cost more than the value of the house and its contents. We might, on the other hand, put deadbolt locks on the doors and install a monitored security system. Those two measures have significant benefits: they would deter thieves, the locks would make it harder to break in and the security system would make the home less attractive to burgle then one without a monitored security system.
Cybersecurity is often like that. We try to make a system or network very difficult to compromise. We may even hope that it is impossible, but we know that sometimes software and systems whether bought from others or developed in-house have undiscovered vulnerabilities. Does that mean there’s no hope? Not at all.
There are many things we can do. For starters we can try to make a compromise have little impact. If all the data stolen are strongly encrypted, the impact may be minimal. If we see the attack in progress and can thwart it as it happens, there may be no compromise at all. The latter is analogous to the burglar alarm at home – the authorities can sometimes stop a burglary in progress or can easily discover the burglars and recover what’s been stolen. Even though we may not be able to completely secure our systems or networks, we can go a long way toward ensuring that we won’t have any real losses.
Yes, I hate it when I can’t say something is “done,” but I love helping people understand the issues and principles of computer security – including the impossibility of complete security for most situations. In Learning Tree Course 468, System and Network Security Introduction we talk about how our inability to completely secure our data impacts our cybersecurity design. I hope to see you at one of those courses so we can discuss it personally. In the mean time, or if you’ve been to one of the courses, let us know what you think in the comments below.