You’d think we’d have this figured out.
Why? Because security is hard.
In fact, it’s harder than you or I can even imagine. And to be clear, I’m not trying to make excuses for your bank or any other service. I just want to be clear that security is really, really hard.
Let’s review some of the fundamental principles at play in a situation like this.
Become a Patron of Ask Leo! and go ad-free!
So Many Security Breaches
- All software has bugs.
- Today’s systems are unimaginably complex.
- You can’t retrofit security.
- Complexity and evolution are at odds with security.
- You need security experts to do security right.
- People remain the weakest link.
#1 All software has bugs.
This is something I expect non-programmers have the hardest time with. The thinking is that if we just did it right in the first place, we wouldn’t have all these problems.
Here’s the fact: Even the very best software you’ve ever used — the most stable, fastest, greatest and most-loved software you can think of — still has bugs.
There is no such thing as bug-free software — period. Anyone who tells you differently is either lying to themselves or to you. Software manufacturers try to ensure that the bugs are insignificant, but there’s simply no way to expect and eliminate all bugs. Most, sure. All? Absolutely not.
And that’s primarily because of principle #2.
#2 Today’s systems are unimaginably complex.
Seriously. Even the people who are supposed to understand them from top to bottom don’t completely understand them.
Many of the bugs I referred to in the first principle are not results of explicit programming errors, but side effects of errors in how these enormously complex systems are built. (Of course, explicit programming errors happen too.)
Remember, systems have to be built in such a way that individuals can build them. That means they’re built in parts that can be understood. Those parts are then put together to create the larger whole. Problems often result from simple misunderstandings or erroneous assumptions as these parts are put together.
Also, remember that our expectations are that these systems never crash, never lose any data, and never deny access to those who are authorized while never allowing access to those who should be denied. All of that while being both lightning fast and trivially easy for anyone to use.
Incredible complexity is the result.
#3: You can’t retrofit security.
Truly comprehensive security needs to be baked in from day one. You can try to add it in later, but it’s a path fraught with potholes and pitfalls.
That’s one of the major reasons that Windows 9x1 was abandoned in favor of the Windows NT-based systems we use today. Windows 9x was based on MS-DOS, which had zero consideration for security. It just wasn’t part of the concept of that operating system. There were no such things as accounts or permissions. Windows 9x tried to bolt that stuff on, but it could not overcome the fundamental assumptions made in its MS-DOS foundations.
Windows NT was a complete rewrite with multi-user account and security control built in from the beginning. Windows 2000, XP, Vista, 7 and 8 are all derived from Windows NT. Yes, Windows has its issues, but what it is and does today simply could not have been built using the old DOS-based roots.
#4: Complexity and evolution are at odds with security.
Systems evolve. We want more features, more power, more games, more options. Whether or not you want more, the world, the market, the public in general, does.
As a result, systems evolve. And evolution increases complexity. Evolution of an already complex system is even worse.
Evolution means the security you built in the beginning may need to handle issues and situations it was never designed to handle, things that were never even dreamed of, say, a decade ago. So the security measures get tweaked and adjusted, modified to evolve with the hope that nothing breaks.
And of course, in addition to all the new things, we want all the things we created a decade ago to keep on working.
#5 You need security experts to do security right.
Security as a concept is hard enough. To implement security is insanely difficult because the margin for error is so small. For example, encryption is trivially easy to do wrong (or maybe not wrong so much as not right enough).
Account management is the same way. To this day, some services make bad decisions, like actually storing passwords, because the coders don’t know any better, or are in a hurry, or for some other reason.
This is perhaps one of the larger risks of today’s incubator or entrepreneurial startup models. A small number of people get together and create something because they have expertise in that something. That’s awesome, and they produce an awesome product or service around that thing. But none of them are security experts. They may have some notion of best practices, like not storing plain-text passwords. So they get the big things right, but it’s the small things that bite them.
#6: People remain the weakest link.
All of the technology in the world won’t save you from the mistakes of human beings using it.If a technician in your data center falls for a really good phishing attempt — and they do exist — then you’ve just bypassed even the best security. Maybe your security expert — an honestly good, true expert — overlooks a case that can happen only in one in a billion times, and then your company grows to a billion transactions a day. Maybe adding a feature to your decades-old system uses an interface in a way that was never envisioned when it was created several years ago and never tested against since.
Maybe you just piss off the system administrator, and before he quits, he leaves all the security information on an anonymous hacker’s website.
I’m not saying that any of these are justifications for security breaches, but given the enormity, the age, and the evolution of so many of these systems over time, it’s really no surprise. Throw in human frailty along the way, and it’s surprising that it doesn’t happen more often.
Do this
The best systems don’t assume we can stop bugs from happening. That’s naïve.
The best systems have an answer to the question, “What do we do when this happens, and how do we reduce the damage?”
It’s kind of like backing up. You can’t say “My disk will never fail” — or if you did, you’d be wrong and also naïve. What you can say is, “How do I prepare for the day it happens, and how do I reduce the impact when it does?”
That same systems advice applies to your security as well: what will you do when breaches happen? How have you protected yourself? Selecting good providers is a start, of course, but so is general security hygiene, including things like strong and unique passwords.
Control what you can and prepare for what you can’t.
Here’s something you can control: Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Podcast audio
Related Video
Footnotes & References
1: Windows 95, 98, 98se, and Windows Me.
I read Kevin Mitnick’s book on hacking and several news articles on hacks, and most of them have one thing in common: the PEBCAK, the problem existing between keyboard and chair (the user). It seems most hacking is done through human engineering. Getting people to run a program containing malware, give a hacker a password or other access to a machine etc. This isn’t to deny that there are real vulnerability hacks, but the biggest vulnerability is the human using the computer.
We do our best, but as Leo wrote (so many years ago!) that is really all we can do.
We are so careful, but somehow Adware got on our computer. Not the end of the world in the scheme of things, but it showed us we were not as careful as we need to be.
I guess we trusted PC Matic and their white list thingy too much! Their scan did not find the adware (SpyBot did) and PC Matic response when asked what we had done wrong was to direct us to Malwarebytes to remove it. MB did not find it either and I had a fun week tracking down how I could get rid of it, eventually realizing I could stop it reappearing after deletion in the registry by instead deleting all permissions. All good today, first complete day, but we will see how smart the dang thing is soon enough.
But Leo is so right, we do want bang up to date, yet still want our 10 year old stuff to work also.
Thanks to Leo and Mark, I only recently came across this site and it helps me with many things I did not know I needed to know!
I’m retired Navy. When I was on active duty back in the 80’s there was a popular saying that had more than a little truth to it that applies equally well to the tech world.
“You can make things waterproof, rustproof, dirt proof, and drip proof; but you can’t make anything sailor proof.”
Engineers did what they could and we did out best to train our people, but there was always one sailor who found a new way to break something.
It’s why I subscribe and try to keep up with best practices on the family machines so I can be prepared when that “sailor” does something unexpected.
I’m saving this article as I work in regulations related to medical device cybersecurity, and what you show here is why there is still a problem, and why regulators (e.g. the FDA) keep issuing guidances that many find unreasonable, but may be necessary to ensure the devices are safe.
You forgot the most important reason why security measures fail: Bad guys, usually motivated by money. No matter how smart a programmer is there is always someone smarter out there. Besides, exploiting bugs and complexity is much easier than closing security holes. Whack-A-Mole.
So, 4 options:
– Throw out all your digital stuff
– Continue playing whack-a-mole
– Change the whole basis of humanity’s inter-communication methodology
– Develop an all-seeing AI
Wow – my window isn’t big enough to throw it all out!
Part of the problem as I see it is the fact that we use operating systems (a necessary evil) so before you do anything, you’re potentially vulnerable (if I were an astronaut I think I’d insist no OS – I’m thinking Apollo 13 here!) Oh & we connect to a “public” network (the internet which was never designed for this – it was almost a private system to begin with) – just bits added on for security. Then you have PEBCAK as has already been described. We don’t help ourselves though. There is no password manager that can work well with web based systems because so many of them do not adhere to early loose standards that existed at the beginning of the WWW & also so much is developed with programming toolkits to speed up development (in my day it was 4GL & 5GLs that were rapid development tools). Maybe Quantum Mechanics will come to the rescue!
Please check out SCION. The basic internet transmission protocol does not support end-to-end transmission of the identity of the person/org sending a message. The Swiss Banking system and several other country banking systems are implementing SCION. It makes it very hard to spoof.
Our basic problem is that with current internet architecture it is extremely easy to lie about who is sending the message.
Of course, many phishing attempts do not rely on anything that sophisticated. I get masses of fake emails via Comcast that are easily detected by just reading the email address.
We’re still babies in our cribs trying to figure out the structure of the universe!
Wait until you can publicly use Quantum computing in your home… that’s when the fun will really start!
Many of the security problems happen because all the testing time is spent getting the #*+% software to work. Somebody comes up with an idea and sells it to management. Then they build the software. Testing is always about how to get the software to work, never about how to break it. Then you have that the employees have to be able to have access. If an employee can look at the data, that is a hole that can be exploited if a hacker or data thief gets an employee access. And as soon as you include access to your customers to some form of data, you create another hole.
In one of my jobs, I had access to every customer’s credit card number that they used to pay the bills with. That data was stored unencrypted for some time, then we encrypted it. But I still needed access to the numbers to do my job. They built in a program that would unencrypt the numbers for me and load them into an Excel spreadsheet. But that created a hole if a hacker found that, or if I was an upset employee. I also never had a job that prevented an employee from downloading the data available to a disk or USB stick. Once you were an employee you were trusted, until you were not and fired.
No, you can’t protect yourself 100% against hacks and malware unless you revert to pencil and paper for all your communications (even then, somebody can rob your mailbox). You can mitigate the damage, however.
First, ditch Windows and change to a more secure OS. I’ve used Linux Mint for years and have never experienced a “virus” or any other malware. Linux’s relative invulnerability is largely due to its inherent security and open architecture but also due to its obscurity. Why write malware for Linux when 90% of the world uses Windows? There’s a reason nobody offers AV programs for Linux. Nobody. I’m talking abut Linux for desktop/laptop, not for servers. A majority of the world’s servers run on Linux, plus ALL the world’s supercomputers, and hackers expend a lot of effort to breach them, but that’s a different kettle of fish.
Second, BACK UP, EVERYTHING, both your entire system (bare metal) and your data (separately and daily) to more than one destination. Do it regularly and automate the operation so you don’t forget to do it. In addition make a manual full backup periodically to an external destination that’s connected to your system solely for the purpose and then disconnected, physically, until the next session. If your backup scheme includes a cloud based backup service, a good idea in case of disaster like burglary or fire, select one that offers end-to-end encryption. I use MegaSync which offers both E-to-E encryption and versioning
Third, subscribe to and use a good, reputable VPN service, NOT a free one. Most good VPN’s have a “Kill Switch” function. which kills the internet connection unless the VPN is working. Use it. I use Private Internet Access (PIA) mainly because it’s full-featured and has a killer Linux GIU desktop app.
Fourth, by all means use a password manager and let it choose a long, unique, secure password for anything that requires a password. Use 2FA where it’s offered INCLUDING for the password manager itself. I recommend Authy for 2FA for its cross-system synchronization capabilities. For the Password Manager’s Master Password/Passphrase use something that’s both easy to remember and LONG. For instance a memorable line from the Bible, Koran or Talmud (use old versions for the obsolete language) or a line from an obscure poem with which you’re familiar; caps, spaces and all to your preference.
Many thanks, Mr St John. I’ve copied/pasted your advice into a Word document and will later review it line by line. The parts I understood, I knew and liked, making me think the rest I didn’t is on target, too.
Except for a few dollars in the credit union to pay the bills, almost all my life savings are in a few Vanguard funds. My fear has long been, what if Vanguard gets hacked. Is that rational? Or does a company as large as Vanguard have such a good security team that my worrying should be better spent on other things?
Vanguard is the largest mutual funds company in the world with a value greater than some small countries. If they pose a hacking risk, nobody is safe from hacking.
Uhm, shouldn’t that be PEBCAC…?
(Since when does the word “chair” begin with a “K” — at least, in English?)
Problem Exists Between Chair And Keyboard.
All great advice, Leo, especially “Control what you can and prepare for what you can’t.”
I’m definitely anal about PC security. The first thing I do before a web session is update my anti-virus and anti-malware programs to the latest available engine and fingerprints. Then I proceed with brain engaged. Never had a breach (as far as I know) but no matter how careful we are a merchant or financial institution can create chaos if their system is compromised. A simple, FREE defense for that is to lock all your credit bureau files. No one can take out credit in your name with your file locked. You can unlock it for a specific time period, in some cases for a specific creditor, in order to take out a loan, apply for a credit card, etc. Just ask the creditor which bureau they use and open that one briefly. Also, use only credit cards (not debit cards) on-line because Federal law limits your liability for credit card fraud to essentially zero. But for debit cards you’re at the mercy of the issuer and any loss may be entirely your problem.
Finally, THANKS for teaching us about the importance of full image backups. I just made another.
One of the problems, I think, with Windows is that it evolved from bad beginnings and was forced to carry bad design decisions along to future generations in the name of backwards compatibility. Because if its size and complexity the project was split into separate projects leading to duplication of effort, and likely proliferation of bugs. Aside from Linux, which was not originally designed as a commercial package, I can recall only TriPOS (the basis of the Amiga OS) which was designed, not for sale, but as an academic exercise. The pressure was not to rush it to market but to make it small, functional, and elegant.
RE: Testing: I used to sing with an a capella chorus. Someone once explained to be the difference between an amateur and a professional singer
The amateur practices until he gets it right. The professional practices until he can’t get it wrong.
The same applies to programmers. An amateur will debug/test until he gets it working. A professional should keep testing until he can’t break it. At least in an ideal world. Still, I have seen more than one application that showed bugs within several minutes of use.
Even billion dollar companies like Facebook are full of obvious bugs. Facebook doesn’t seem to to be interested in fixing theirs.
Mark said:
“Vanguard is the largest mutual funds company in the world with a value greater than some small countries. If they pose a hacking risk, nobody is safe from hacking.”
Indeed! You’d think the same for the major credit bureaus, but it’s happened.
That’s why I didn’t say they are safe. They are only as close to safe as humanly possible which is never 100%.
I can relate to Mark H., some people can tear up a Steel Ball. Thanks, Leo for the Windows 9.x-NT path analogy. I’m old school DOS. What a wonderful learning tool. In the days before VoIP, there was always the “Loose Nut” behind the Dial Pad., followed by of course the “PICNIC” (Problem in Chair, not in Computer). In our training classes, the instructor always referred to the statement: Read the Mighty Fine Question. There’s always human error, and misplaced logic when under the gun, and the sleep-deprived. I try to use common sense, but we are human. And, always the Salesman selling the customer the moon. And some folks, would believe you if you told them that the Sun will rise in the West tomorrow morning. Sure enough, they’d be there at up at sun-up, looking to the west. In our manuals, it told us that if there is Toll Fraud, it’s because there was always the guy trying to defeat the programming. Add in the Hacks. If ever there was an animal to kill, that’s “The ONE!”