Ibland kan man sticka ut huvudet lite, vilket jag gjorde för en 10 år sedan, då jag skrev om moder natur och kritiserade idén med proaktivt säkerhetsarbete. Menat mest för att få folk att tänka, snarare än att slå fast några teser. Varsågod! Ja, det är på Engelska.
Why won’t we ever get rid of vulnerable software and hardware? What does it take to make everything perfectly secure? Most people I ask those questions respond by saying it cannot be done and I think they’re right. But why do we still act as if there was a way to make all security problems go away?
I think there are a lot of different reasons that causes us to push forward to remove all risks by being “proactive”. To be proactive is thus to solve any problem before it appears, right? If so, why do we need early warning system to be proactive? Just let that sink in for a moment.
If you detect a problem before it gets critical, you’re not really proactive. You’re reactive, but reacting in time. The word “proactive” means to “(…) initiate change rather than reacting to events.” 1) In order to be proactive, you cannot ever look at any values or logs, because the moment you detect that something heading the wrong way, you’re reacting to an event. The only true way to be “proactive” is to be Nostradamus. And his track record is … well … almost entirely wrong.
So, what’s the point of this discussion? I’m not trying to discourage early detection of problems or forward planning. Those two factors can really increase reliability and uptime for any system. The problem is that we see any problem “getting through” as a total failure.
Good security involves protecting a system in proportion to the loss a compromise would cause. This is in many of the security books you can read. By implication, a sound security plan accepts that enough resources spent by an attacker will give them a good chance to actually succeed. This also means giving up the pipe dream of never getting hacked or having a system failure.
If Mother Nature applied for the position of system administrator, no one would hire her.
– ”So, how would you make sure the network can handle an intrusion?”
– ”I would let it happen and let the devices that survive remain online afterwards.”
Not exactly what you want to hear from your system administrator? Still, that’s how it’s done in reality. When an intruder is successful, smart people learn how it was possible for the intruders to get through and then they adapt their infrastructure to cope with the new situation. And sometimes they still get hacked again, until their security is good enough to stand the test of time. But this cannot last either, because any security stance will weaken over time. So the cycle repeats as long as there are enough dangerous risk agents around. There is a reason risk management plans include terms such as “annual rate of occurrence” and “single loss expectancy”. Security planners actually expect attacks to be successful more than once in the life time of an organization. With as little exposure of vital systems as possible, smart and fast detection of attacks, forward planning (this is as close to “proactive” you get in reality) and reduction of complexity of the systems; you can mitigate your risks. But eliminating them? Please! Not even Mother Nature would try to do that! Instead plan ahead and learn how to survive when it happens while still upholding a good security regiment.
Anyone talking about “zero tolerance” or “proactive security” is either blind or not telling you the truth.