You’d think we’d have this figured out.
Why? Because security is hard.
In fact, it’s harder than you or I can even imagine. And to be clear, I’m not trying to make excuses for your bank or any other service. I just want to be clear that security is really, really hard.
Let’s review some of the fundamental principles at play in a situation like this.
Become a Patron of Ask Leo! and go ad-free!
So Many Security Breaches
- All software has bugs.
- Today’s systems are unimaginably complex.
- You can’t retrofit security.
- Complexity and evolution are at odds with security.
- You need security experts to do security right.
- People remain the weakest link.
#1 All software has bugs.
This is something I expect non-programmers have the hardest time with. The thinking is that if we just did it right in the first place, we wouldn’t have all these problems.
Here’s the fact: Even the very best software you’ve ever used — the most stable, fastest, greatest and most-loved software you can think of — still has bugs.
There is no such thing as bug-free software — period. Anyone who tells you differently is either lying to themselves or to you. Software manufacturers try to ensure that the bugs are insignificant, but there’s simply no way to expect and eliminate all bugs. Most, sure. All? Absolutely not.
And that’s primarily because of principle #2.
#2 Today’s systems are unimaginably complex.
Seriously. Even the people who are supposed to understand them from top to bottom don’t completely understand them.
Many of the bugs I referred to in the first principle are not results of explicit programming errors, but side effects of errors in how these enormously complex systems are built. (Of course, explicit programming errors happen too.)
Remember, systems have to be built in such a way that individuals can build them. That means they’re built in parts that can be understood. Those parts are then put together to create the larger whole. Problems often result from simple misunderstandings or erroneous assumptions as these parts are put together.
Also, remember that our expectations are that these systems never crash, never lose any data, and never deny access to those who are authorized while never allowing access to those who should be denied. All of that while being both lightning fast and trivially easy for anyone to use.
Incredible complexity is the result.
#3: You can’t retrofit security.
Truly comprehensive security needs to be baked in from day one. You can try to add it in later, but it’s a path fraught with potholes and pitfalls.
That’s one of the major reasons that Windows 9x1 was abandoned in favor of the Windows NT-based systems we use today. Windows 9x was based on MS-DOS, which had zero consideration for security. It just wasn’t part of the concept of that operating system. There were no such things as accounts or permissions. Windows 9x tried to bolt that stuff on, but it could not overcome the fundamental assumptions made in its MS-DOS foundations.
Windows NT was a complete rewrite with multi-user account and security control built in from the beginning. Windows 2000, XP, Vista, 7 and 8 are all derived from Windows NT. Yes, Windows has its issues, but what it is and does today simply could not have been built using the old DOS-based roots.
#4: Complexity and evolution are at odds with security.
Systems evolve. We want more features, more power, more games, more options. Whether or not you want more, the world, the market, the public in general, does.
As a result, systems evolve. And evolution increases complexity. Evolution of an already complex system is even worse.
Evolution means the security you built in the beginning may need to handle issues and situations it was never designed to handle, things that were never even dreamed of, say, a decade ago. So the security measures get tweaked and adjusted, modified to evolve with the hope that nothing breaks.
And of course, in addition to all the new things, we want all the things we created a decade ago to keep on working.
#5 You need security experts to do security right.
Security as a concept is hard enough. To implement security is insanely difficult because the margin for error is so small. For example, encryption is trivially easy to do wrong (or maybe not wrong so much as not right enough).
Account management is the same way. To this day, some services make bad decisions, like actually storing passwords, because the coders don’t know any better, or are in a hurry, or for some other reason.
This is perhaps one of the larger risks of today’s incubator or entrepreneurial startup models. A small number of people get together and create something because they have expertise in that something. That’s awesome, and they produce an awesome product or service around that thing. But none of them are security experts. They may have some notion of best practices, like not storing plain-text passwords. So they get the big things right, but it’s the small things that bite them.
#6: People remain the weakest link.All of the technology in the world won’t save you from the mistakes of human beings using it.
If a technician in your data center falls for a really good phishing attempt — and they do exist — then you’ve just bypassed even the best security. Maybe your security expert — an honestly good, true expert — overlooks a case that can happen only in one in a billion times, and then your company grows to a billion transactions a day. Maybe adding a feature to your decades-old system uses an interface in a way that was never envisioned when it was created several years ago and never tested against since.
Maybe you just piss off the system administrator, and before he quits, he leaves all the security information on an anonymous hacker’s website.
I’m not saying that any of these are justifications for security breaches, but given the enormity, the age, and the evolution of so many of these systems over time, it’s really no surprise. Throw in human frailty along the way, and it’s surprising that it doesn’t happen more often.
The best systems don’t assume we can stop bugs from happening. That’s naïve.
The best systems have an answer to the question, “What do we do when this happens, and how do we reduce the damage?”
It’s kind of like backing up. You can’t say “My disk will never fail” — or if you did, you’d be wrong and also naïve. What you can say is, “How do I prepare for the day it happens, and how do I reduce the impact when it does?”
That same systems advice applies to your security as well: what will you do when breaches happen? How have you protected yourself? Selecting good providers is a start, of course, but so is general security hygiene, including things like strong and unique passwords.
Control what you can and prepare for what you can’t.
Here’s something you can control: Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Footnotes & References
1: Windows 95, 98, 98se, and Windows Me.