Is it possible to have a secure system?

Spoiler alert: I don’t think so.

If someone wants your information badly enough, and they have sufficient resources to spend on getting into your system, I think they’ll probably succeed.  Personally, I can’t foresee a day where we have all possible vulnerabilities blocked and accounted for – just as a matter of course.

I found an interesting post about this on c|net – talking about the latest big vulnerabilities that span operating systems and even platforms (mobile to servers).  Here’s a link to the post.  Their point was speaking more specifically to mobile platforms and the fact that it’s likely other flaws will be found.  This part caught my attention:

As for why Arm didn’t find the flaw itself, but instead only learned of it from security researchers, Segars said: “What this demonstrates is that the world of security is a moving target. Just when you think you’ve got things under control, something else comes along.”

I think this is true on a general basis – from software to hardware, security is indeed a moving target.  I think it takes mitigating known attack vectors and then actively working to plug issues that come up.  All of that has to have the underpinnings of a solid, best-practices-style system that puts in place the protections that are reasonable and helpful.

All of that is to say “Do what you can, protect everything, and stay on top of issues that come up.”

The whole “do what you can” thing includes things like protecting against injection, using anti-virus software, having appropriate security in place for usernames and passwords, using secure connections and conversations between systems.  But this isn’t enough.  As the article points out, the IoT steps in and things get really interesting.  You’ll have processing steps going on with data streaming in in-transit.  You’ll have all sorts of devices that present new and exciting (!) attack vectors for your systems.

Protect everything includes making information less valuable for those that may indeed breach your systems. This is where encryption of information at rest and other technologies to lock down information to prying eyes all come in.  If you make the information less useful, less valuable or more expensive to interpret, that’s a good thing.  Masked columns, encryption – those types of things make getting at underlying information in a useful way less possible, more expensive.

Stay on top of issues – that’s an easy one.  Get the security update newsletters, manage the third-party software updates, all of that.  These are things that come together to help you manage your risk.

In the future, I really don’t think we’ll ever have security perfection.  This means it’s a game of mitigation and protection and making information too expensive to steal.  It’s going to get more broad in terms of what you’re covering and higher stakes to do it right everywhere you can.

Challenging times for security!