There is no such thing as Internet Security

During the course of the last months, we have seen frequent news of security breaches, with many websites falling victims of malicious attacks. While this by itself is not a news, the frequency and scale of this kind of attacks hardly passes without notice.

Sony’s example is probably the most visible example of this trend, as Kevin Mitnick points out.

I lost count of all the Sony attacks. CORRECTED: Sony Scoreboard: Hackers 12, Sony 0, Source: http://tinyurl.com/6dcugje

— Kevin Mitnick (@kevinmitnick) June 5, 2011

But they are not the only ones: the attacks on Citigroup and security company RSA are even more alarming. If even those companies that should be dealing with security issues every day are not impenetrable, chances are everyone’s data is at risk. Or, at least, that’s the message that most of the newspapers appear to be conveying.

While it’s easy to dismiss those people as fools, those facts should teach us something different: there is no such thing as a secure system.

As Bruce Schneier wrote in this afterword to Little Brother,

[…] it’s impossible to prove that something is secure. All you can do is try to break it. — if you fail, you know that it’s secure enough to keep you out, but what about someone who’s smarter than you? Anyone can design a security system so strong he himself can’t break it.

In addition to that, any organization that has to deal with security on the Internet, has to deal with two additional additional factors: numbers and skill.

The number of people and the resources they can invest on building, securing and testing their systems are and will always be lesser than what some communities will be able to assemble.

And even if they have a team of 50 full-time employees working on their security infrastructure, it is not unlikely that some kid some day, by dedicating 15 hours per day to his passion for security systems, will be able to devise a way to penetrate a remote system.

So, should we just do what we can and hope for the best? I don’t think so, but we should probably invest more time than we do now to handle the possible consequences of our systems being compromised (e.g. partitioning critical data, early breach detection, faster recovery). Again, we should prepare to deal with the fact that our systems may fail.

Again, we often spend a lot of effort trying to make our systems as hard as possible to break in, but we neglect to take the proper measures to make sure that, whenever that happens, we are able to contain damage and be rapidly up & running right afterwards.

Why else would it have taken so long for Sony’s to reopen the PlayStation Store ( almost 1 month)?