Perhaps the wisest words on the matter of security were spoken by David Lightman (played by Matthew Broderick) in the 1983 movie WarGames: “I don’t believe that any system is totally secure.” Such thinking drives hackers, and it should drive companies (in a different way, of course). Unfortunately, simply piling on more and more sophisticated countermeasures to thwart attacks can create as many problems as it solves.
From Simple to Complex
After discovering recently that one of my personal websites had been hacked, leaving a small but stubborn link to (presumably, anyway) a site selling pharmaceuticals, I learned several lessons. First, even with strong passwords and no obvious mode of outside access, connected systems are vulnerable. Anything that has a link to a broader network is a potential target for attack (and even unconnected devices may be at risk). Second, I learned that complexity can be a hacker’s best friend. Eliminating the offending link required finding a little snippet stuck in pages and pages of code across many files. Unfortunately, the hacker (probably a bot of some sort for this type of unsophisticated attack) didn’t leave a comment saying “// pharmaceutical ad here, courtesy of Cheap Pills R Us.” Fortunately, however, I seldom update that site: I was able to narrow down the search to a single file that had been updated recently (too recently), and the code contained an inscrutable yet painfully blatant string of characters—likely an encoded URL or something similar.
But my experience was relatively painless, albeit a little annoying—I didn’t lose important data, and no real harm was done, except the cost of some time to find and remove the offending code. For many companies, much more is on the line: customer information, research data and trade secrets, and potentially millions of dollars of business. Furthermore, companies employ networks and systems that are far more complex than a basic website, and there lies one of the problems. In addition to the greater incentive for a hacker to break into a major organization’s network, the complexity of the security apparatus can create unique and unforeseen opportunities for attack.
The problem with an extremely complex security system is reasonably obvious if you think about it, but it may be helpful to consider a somewhat similar situation: reliability. When building an airplane, for instance, engineers will add redundancy to the various systems to ensure that if one fails, a standby system is ready to take over. One might think, on first glance, that the engineers could achieve almost any reliability level they wanted simply by adding more and more redundancy. But the problem is that in addition to just the redundant system—say, rudder control—there must also be a system that manages the transfer in the event of a failure. But even that system is subject to failure and may require redundancy. The gist of the matter is that beyond a certain point, additional redundancy can actually harm reliability, contrary to what intuition would dictate.
Likewise in security, there’s a certain value in outsmarting an attacker. Yet as a security solution becomes more complex, a number of problems can arise. Amit Yoran of security firm RSA said, “Unfortunately, complexity is very often the enemy of security. If it’s a content-rich and interactive Web site, it only takes one simple slip for the site to be hacked.” He spoke here in terms of the complexity of what is being protected, but the same reasoning applies to the security itself. The following are some potential concerns that arise with security as it expands:
- More people involved. As a security solution becomes more complex, you’ll need more people to implement and maintain it. Knowing everything about every IT system a company employs is practically impossible, so a team of professionals is necessary. Further complicating the matter is the use of outside help—which may be the best option in some cases, but it still adds more links to the chain.
- More countermeasures. Firewalls, intrusion-detection systems, malware detectors and on and on. How do all these elements work together to protect a network without impairing its performance? Should they all come from the same vendor, or is it better to assume that no one does everything well? Whatever the case, just managing all these elements—to say nothing about successfully accomplishing their particular tasks—is a daunting job.
- More attacks. Even if you secure your system against every known avenue of attack, tomorrow some enterprising hacker will find a new exploit. Does your security implementation enable fast and easy updates, and will those changes, over time, upset the balance you’ve struck between performance and protection? Will your employees seek to work around the security because it is so bloated that it makes their jobs difficult?
- More automation. Removing people from the loop can solve some problems, but like a redundancy-management system in the context of reliability, doing so adds another layer of complexity—and possibly a new avenue of attack.
According to an AlgoSec survey of 127 IT security professionals, more than half cited “complex and/or conflicting security policies, such as firewall rule sets, router ACLs, IPS configurations, etc.” as leading to a security incident and/or outage at their organization. And these are just one aspect of security.
The problem is clearly difficult, so what’s the solution? Going overboard on complexity is not only problematic from the perspective of success, but it’s also expensive. Mark Samuels said at ZDNet, “Such is the cybersecurity threat that it would, in theory, be possible for CIOs to dedicate most of their IT budget to building impregnable defences.” Like insurance, however, security seems like a waste of money—at least until some (hopefully rare) incident proves its value. And determining the right level of that “insurance”—to say nothing about winning approval from the C-suite, is a tough problem. Funds invested in security can have a return, but only in the sense of stemming losses—not the kind of positive return that, for instance, R&D can yield.
Furthermore, a transparent security solution that a company’s IT personnel can understand and even modify seems much better than a black-box solution whose inner workings are mysterious. Yet, like a modern computer with all its monolithic integrated circuits (containing nothing you can repair or modify with your soldering iron!), simplicity can often come at the expense of capability. So, complexity is not something that is necessarily to be avoided, but it’s something that must be balanced—as in so many engineering problems (and life in general).
Ultimately, however, like with the problem of reliability, the complexity of IT services and the required security may reach a point of diminishing returns. The constant threat of hackers may make some services—although feasible in theory—impractical owing to the risks. With the growing number of high-profile hacking cases and the threat from voyeuristic government agencies, that limit may be in sight.
In the early days of the Internet, when websites were a couple pages of fairly simple HTML, hacking was at most an annoyance—and certainly nothing that offered much potential return, except in relatively rare cases. Today’s complex networks create greater challenges but often leave even greater holes, and the rewards for a successful attack are much larger as well. In some sense, sophisticated security is required to repel sophisticated attacks, but that sophistication can be its own enemy. That’s not to say there’s an easy answer, but the first step is to recognize the problem. Sometimes, simplicity is superior: perhaps, for instance a little cooking wisdom and a good old cast iron pan that you can dunk, beat up, scrape up and overheat—yet still expect decades of service life—is better than an Internet-connected gizmo that you’ll have to chuck when the non-stick coating inevitably begins to peel off. Yet blind Luddism is no alternative; IT is at the heart of many industries, and consumers demand a growing number of services. Finding the right balance in security is a task—and one that will probably always evolve rather than ever being finally solved.
Leading article image courtesy of Patrick Hoesly