The Misunderstood Myth

THE MISUNDERSTOOD MYTH

Let me get flamed here, there will never be total security. How can I say this when elsewhere I have slammed others for saying this (see here)? Simple, I stand by both statements as I believe both are true. You see, I do not think that we should ever settle for or be happy with less then 100% security, but the chances of us getting to that level without hard work are slim. Note that I did not say impossible, but slim. And note that I said that we should all aim for that slim possibility. So what stops us from getting there?

Ghosts in the machines
It may help if you relate your network to the idea of a biological entity. Think of any living creature (what you choose is up to you ... and the operating systems you run). Seriously though, think of a person. Why do people carry on catching colds? Why has this virus had such a hold on mankind?

The arms race
One reason is that the cold virus mutates. Mankind beats it in one form, but it changes in order to beat our new defenses, and thus the cycle repeats. You see in a static environment, once a threat has been conquered, it stays conquered. But in an environment which is subject to change, the threats can attempt to change to effect their version of survival. Look at computer viruses, anyone who has been around computers for a couple of years has seen how viruses have evolved, and can see that they also have not finished. We fight a continual arms race to prevent outbreaks and to stop viruses, just as they exploit new attack vectors in order to spread

Human stupidity
Another reason humans always suffer with the cold is that we put ourselves in the situations which are conducive to contracting the virus. We go out in the cold, we do not take proper preventative measures (vitamins, etc), we hang out with people who are sick, and it carries on. Is it any wonder than that we get sick. The same goes for networks, if users (at all levels) disregard proper processes (open cute email attachments from people they do not know), make uninformed choices (switch off the anti-virus because it slows their PC down) or download those cool tools to speed up your bandwidth ( .. always off those very questionable sites). If the users on your network do this, you will always have problems.

Ultimate authority
What also contributes, is when those who know best do not have the final say. If your doctor says that playing rugby in the rain will cause you to catch a cold, but your coach says that you will play or else, guess what.. you will probably catch a cold. Relate this to a previous example, you tell your users do not switch your anti-virus off, but the CEO tells the company to do it in order to try and up productivity by making the machines faster. Then guess what.. you have no defense when a virus enters your network

Progress
Also a reason is the changing world, this is different to the "arms race" in that it is not the threat that adapts, but the environment changes making an old threat more dangerous. Take for example a city, if you have one person with a cold, going to work in a large company, getting on a bus, etc. This person could infect hundreds of people, whereas in more primitive times, the same person would not have had as much contact with other people. In the IT world think of wireless, the explosion of wireless networks have made many old threats (which many professionals had almost written off) take on a whole new life (clear text protocols, traffic sniffing, etc). As long as technology progresses and as long as the progress is driven by the need for "cooler" features, we will always find old threats growing new teeth.

Give up now?
I suppose I can make it seem rather hopeless. That is not my intent, rather I just want people to understand that a 100% secure network today, can be rendered vulnerable by tomorrows exploit, that we must never rest on our laurels because things change, they mutate, they grow, and all this change means we have to adapt our countermeasures. We can make our networks secure, we just have to work a lot harder at doing it then most people think or are comfortable with. So be realistic. Let me end with this quote..

"The price of freedom is eternal vigilance" -- Thomas Jefferson