Given enough time and resources, every security technology is breakable. But for most people, it doesn’t take perfect security to become considerably more secure than average. Security wonks like me often give lists of ways to lock your system down against all but the most determined adversaries, but in truth just taking a few big steps towards better protecting our data is enough. As long as they’re the right steps.
We can all think of some security technology that has been declared “dead” or that is widely proclaimed to be unsafe: AV is “dead”. Passwords are “dead”. Using text messaging for two-factor authentication should be killed off. Biometric scanners on phones are “broken”. But does this really mean that these technologies should be abandoned? In my opinion, they should not. And by waxing hyperbolic about their demise, we’re decreasing security overall.
The security industry is a bit of an odd duck in this regard: We have conferences devoted to showing how all manner of things can be broken with enough time, effort and skill. Can you imagine a medical conference dedicated to finding and publicizing how medical devices could be used to injure or kill patients? While exposing potential vulnerabilities can certainly be helpful in improving products, especially where those vulnerabilities are not obvious, all too often we use those vulnerabilities as a reason to abandon whole classes of products.
In fact, seatbelts only reduce crash-related injuries and death by half. One hundred and thirty people need to take cholesterol-reducing statins for a year to prevent one unwanted health outcome. If these results were for security technologies, it’s likely they would have been declared dead right out of the gate. But as part of an overall risk-reducing strategy, they can both be quite helpful in decreasing your risk of premature death or serious health consequences.
No one would suggest that you wear your seatbelt and drive like a maniac, or take statins and gorge on junk food. We all know that we need to reduce our risk in a variety of ways. Security and health are similarly technical and confusing to lay people, but our tactics for prescribing safe behavior in each case are often wildly different. It’s usually considered good advice to recommend people take small steps to improve their health; like driving at a safe speed and distance from other vehicles, or eating less and moving more.
While some people will suggest that we’ll all die horrible deaths if we don’t completely abandon sugar, carbs, fats, meat, gluten or whatever the evil-ingredient-of-the-day is; most people realize that this advice is unrealistic. Mandating draconian diet changes will cause more people to throw up their hands in frustration than to improve their health. Likewise, by advocating that people use only the most secure (or more likely not-yet-broken) technologies, we push them to chase after a shrinking list of increasingly obscure and onerous ways to protect themselves.
Better outcomes
Even as a security professional who “knows better”, I generally don’t walk around with my systems and accounts locked down like I’m permanently on the DefCon network – because, frankly, the inertia would be so great that I’d never get anything done. I understand that most technologies are broken or are potentially breakable. What I do (and what I recommend to most people) is to use technologies that are a reasonable improvement on “out of box” settings, but which don’t impose a significant hassle.
This sort of moderate risk-reducing recommendation is obviously not sufficient for businesses, or our most sensitive data. But for the average person who is using their home machine or home network, “good enough” security is just that. Convenient security measures will trump perfect security that is never used. And in my next post, I’ll discuss a few things that I would include in that category of beneficial and convenient security measures.