The Problem With Our Security Models


"You can haz better security, you can haz worse security. But you cannot haz "security". There is no security, Deal." -- Richard Steven Hack

I thought I would start with this quote from Rich Hack, it does describe the issue in a nutshell. The reason for this article is a post from Bruce Schneier where he states: "Our security models will never work — no matter what we do". 

I'm quoting his first few paragraphs here: "A core, not side, effect of technology is its ability to magnify power and multiply force — for both attackers and defenders. One side creates ceramic handguns, laser-guided missiles, and new-identity theft techniques, while the other side creates anti-missile defense systems, fingerprint databases, and automatic facial recognition systems.

"The problem is that it’s not balanced: Attackers generally benefit from new security technologies before defenders do. They have a first-mover advantage. They’re more nimble and adaptable than defensive institutions like police forces. They’re not limited by bureaucracy, laws, or ethics. They can evolve faster. And entropy is on their side — it’s easier to destroy something than it is to prevent, defend against, or recover from that destruction.

"For the most part, though, society still wins. The bad guys simply can’t do enough damage to destroy the underlying social system. The question for us is: can society still maintain security as technology becomes more advanced? I don’t think it can."

Of course he refers to the ultimate example of a terrorist with a nuclear bomb that everyone is terrified of, but even that is something survivable for a society. Japan resurfaced from two detonations in a relatively short time. Of course he is right in the sense that an attacker only needs to succeed once, and the defender needs to succeed 100% of the time. That is why we need to design with failure in mind, and fail with the least amount of (collateral) damage. 

Schneier notes that traditional security largely works "after the fact", and that is where some of the problems lie. On planet earth, we tend to invent weapons but omit to invent the protection against that weapon at the same time. The Manhattan project developed the atom bomb and completely omitted to also develop at the same time a force field that would stop an atomic blast. Wouldn't having both technologies been a much more powerful solution?

He continues: "Because sooner or later, the technology will exist for a hobbyist to explode a nuclear weapon, print a lethal virus from a bio-printer, or turn our electronic infrastructure into a vehicle for large-scale murder. We’ll have the technology eventually to annihilate ourselves in great numbers, and sometime after, that technology will become cheap enough to be easy." He then states: "If security won’t work in the end, what is the solution? Resilience — building systems able to survive unexpected and devastating attacks — is the best answer we have right now.

At this point I'd have to say his answer is incomplete. Schneier takes for granted that human nature cannot be changed, and that someone will inevitably get the tools in hand to create major damage. That event could be prevented by a change in mankind's worldwide respect for the United Nations' Human Rights, a change in all world government's priorities regarding education, and the realization that planet earth is on a downward spiral until we wake up and do something about it. 

Subscribe To Our Blog

Ransomware Has Gone Nuclear Webinar

Get the latest about social engineering

Subscribe to CyberheistNews