Are you feeling lucky?

Sat, Apr 8, 2017

tech #security #luck

How lucky do you feel today? It’s an important question as your IT security is probably mostly down to luck.

If we examine most ‘hacks’ we usually see the organisation hit issuing statements about ‘sophisticated hackers’ and the public image of hackers, as lone genius’s wearing hoodies in darkend rooms is re-enforced. In fact most attacks are perpetrated by far less skilled people and succeed by luck. That’s not to say there aren’t some super skilled experts out there, but they are few and far between.

What I mean by luck here is simply a factor of the complexity of IT systems. Every single IT system that is in service today has some form of known or unknown security weakness. My evidence for this claim - is simply history - just look at the list of security issues found and you’ll discover pretty much everything has problems. There are lots and lots of security improvements going on in the IT industry, but in parallel we’re building more and more features, this means that the overall risk is at best level, or even getting higher.

When we see a system being hacked, normally it’s because someone has found one of these weaknesses. The process of finding a specific weakness, against a specific organization is mainly luck. This is how phishing works, send a million emails, some of them bite and those are the people who get hacked/defrauded. The same is true for more sophisticated attacks - in many cases finding a certain website is vulnerable to an attack & exploiting it is down to the luck of the attacker.

Some people argue we can fix all these attacks, by a combination of good tools and practices. I’d disagree. If we look at hacks on websites - the main ways to hack a website really haven’t changed for 15 years, all of them are solvable, yet developers keep shipping websites with these issues. Why is this - it’s because most software is too complex to understand, and thus secure. Even with the best tools, process things get through, and most people building websites don’t have those, they simply have a limited budget and deadline to get the website launched.

If you gave me an infinite security budget, the best engineers, security analysts etc - I still could not build, a non trivial, system that was 100% guarenteed to be secure. We could build a system with great defense in depth, the best security tools - but there would still be some unknown bugs/defects in it, and with luck an attacker could beat it. However I can build a system where an attacker has to be very lucky, and even if they are lucky there is a very high chance they’ll get caught. I’d argue that is what one should focus on when designing a solution.

That’s not to say you can’t make your own luck, both bad and good. You can certainly increase your risk by not being aware of security, for example take the UK bank using sequential card numbers that let people guess the account details - that is simply negligent. You can reduce your risk by

  • Constructing an ‘attack tree’ detailing what your are trying to protect and how you are doing it
  • Training development teams and ensure they practice secure coding via processes & tools
  • Assembling a defense in depth strategy - make sure your not relying on a single security system/approach to stop each attack
  • Having robust monitoring and incident reponse plan so that when the worst does happen, you can limit the damage
  • Designing into your systems techniques to mitigate the damage from a successful attack, e.g. ‘break one, break only one’ - where you make sure hackers have to break each asset (account, database record etc) seperately. This means they don’t just have to be lucky, they have to be lucky repeatidly!

Overall Luck is a big factor in a hack succeeding. Next time you see Bank XYZ or Shop ABC has been hacked, don’t just assume either the hackers are super smart, or they’ve been incompentent. Instead remember that even the best systems can be beaten if the hacker gets a lucky break. However you should judge very harsly those companies if they aren’t ready & able to notice the breach, respond, communicate to customers and deal with it. Next time it could be your system - are you ready and prepared?