7 reasons why computer security is hard
1. Constant changes
There are new attacks and new vulnerabilities every day.
It
is necessary to keep software up to date. If your software vendor
issues a patch or an update, make sure to apply it as quick as
possible. In case of mission critical systems, it is crucial to test
the updates first to avoid bad surprises.
Sometimes security
problems are known in public before there is a fix or workaround. You
will have to evaluate how risky it is to keep a software or system in
use.
Not only the bad guys get smarter, you do too. As you learn
more about security you will constantly reconsider your security
actions and adjust them to avoid being an easy target.
2. Snake oil
It
is not possible for my mother to know about downsides of personal
firewalls and home-brew encryption algorithms. The media runs
advertisements for security products, is therefore biased when it comes
to an evaluation.
Many 'security' products are 'broken', hours after
they are available to the public. Not only because of errors during the
implementation, often because of the design itself.
Take anti virus
scanners for example. If your system is already infected, the notice of
your virus scanner that everything is ok is not very trustworthy.
3. Find a good trade off
Applying
security is always a trade off. Most of the time you loose comfort and
gain additional security. Take email for example: You need a connection
to your mailserver and you need a program to process the mails you
receive. This increases your attack surface, but as benefit you are
able to read email.
If you run your normal desktop computer, it is a
good practice to not install every funny gadget like a new moon
calendar. This means less "pimp my desktop"... but at least you do not
increase your attack surface.
4. Users
Most of the
times humans are the weak chain in a security system. Bad guys do not
need to find a technical problem on a computer system, if the person in
front of it is willing to execute commands on the attackers behalf.
This can be done via email, on the phone or even by just sending an
unlabeled CD-ROM.
It is very hard to defend against such attacks as
they target the natural instincts of the human beings like fear, guilt
or the human want to help other people.
5. Real person?
It
is next to impossible for a computer to decide whether it is talking to
a real human or to an other program. If the online system of your bank
receives a request from your computer, it is not able to tell if you
actually ordered a transaction or if some bad software did. When a
firewall sees a connection to a webserver, it is not able to tell if
you are surfing the web or if a program is sending data pretending to
be legitimate traffic.
6. Doing it wrong is easy
A
security consultant needs to identify all ways to break into your
system and fix them properly. The criminal only needs to find one
mistake and you are in trouble.
There are many ways to limit the
impact of a security compromise, but in the end it comes down to: The
bad guys do have it much easier.
7. You have to trust someone
How
do you know that you do not run an operating system with a build in
backdoor? Sure that there is no keylogger in your new computer? Is your
mobile phone really switched off? Is your new database server realy
unbreakable?
At the end of the day you need to make a trade off and decide whom to trust.
One
benefit of open source software or algorithms is that you (or someone
you pay) can look into the program code and try to find hidden
backdoors or security problems. This is no guarantee to find all
problems, but at least you have a chance.
Depressed now?
Don't be. By applying good security practices and constant work, you
can avoid to be low hanging fruit to the attackers.
security
