Tuesday, February 27, 2007

are we winning, or losing, or have we already lost

a popular refrain from security folks these days is that we, the good guys, are losing or are fighting a losing battle... occasionally someone will say that we're actually winning, and others might even say that we've already lost...

all of these are wrong and here's why...

for starters let's look at what it means to win... what end results in security would indicate that we have won? naively, if we no longer had to think about security, if we could just set our security mechanisms and then forget about them and remain secure from there on out then we'd have won conclusively... that's not very realistic, however... how about instead if we continue to work tirelessly to keep things secure and in so doing are able to foil every attempt at breaching the security we've set up, every attempt at compromising the information we're protecting or exploiting the resources of our endpoints? that too sounds like a pretty conclusive win, however if we were able to take the possibility of mistakes and bad security decisions out of the equation like that then it's quite likely that the security decision making process could be replaced with an algorithm, which brings us back to the set and forget security mechanisms...

how about losing - what would it mean to lose? again naively, if our security failures become so bad that we are forced to just throw up our hands in defeat and stop using the technological resources we've been trying to secure then that would be a clear indication that we've lost... alternatively, if we continue to work tirelessly to keep things secure but fail most if not all of the time then that too would be a pretty obvious case of having lost... of course if we fail all the time, or most of the time, or even just enough that the value of our technological resources is no longer greater than the cost of our failures then, barring blind faith, it stands to reason we'd just throw up our hands in defeat and stop using those resources - so again it collapses to a single indicator...

neither of these sets of outcomes seem very likely... we're always going to have successes and we're always going to have failures... we're always going to have to keep working at security - and, because it's going to continue indefinitely, the very notion of winning or losing in the larger context of security as a whole is as meaningless as winning or losing at life... individual successes or failures cannot translate into winning or losing on the whole anymore than having a good or bad day translates into winning or losing at life... security isn't a game and it's not a war, both of those things eventually end and security doesn't... whether you win or lose an individual battle (or many of them), the constant struggle that is security (like life) goes on...

and for those who decry the perpetual cat-and-mouse game we seem to be in and hold that up as proof that we're losing (or have already lost), consider this: if there is no perfect security (something many take to be axiomatically true) then we can conclude that for every measure there exists a counter-measure... since counter-measures are themselves measures we can conclude that for every counter-measure there exists a counter-counter-measure, and so on and so forth... given that (somewhat inductive sounding) conclusion, the cat-and-mouse game is the only feasible outcome - one or both sides would have to be either too stupid or too lazy to find/use the counter-measures available to them for it to have turned out any other way...

5 comments:

cdman83 said...

Security is a process, not a state.

kurt wismer said...

ok... that doesn't actually contradict anything i said, though... nor does it dispel the notions i was trying to dispel...

LonerVamp said...

I think you're right about my Art of War quote. I've adjusted my post to reflect that. Thanks a bunch!

LonerVamp said...

Yeah, it is interesting to wonder what we consider success. For instance, if we were to defeat the enemy and security was achieved, would we even be needed anymore?

I'm also not sure I would necessarily decry our state of being behind the attacker or being "out-innovated" as I've been reading a lot about lately. If the attacker wasn't innovating around our protections, conversely, what reason do we have to innovate on our end?

Even if I am offbase, it is all an interesting discussion. :)

kurt wismer said...

@lonervamp
"I'm also not sure I would necessarily decry our state of being behind the attacker or being "out-innovated" as I've been reading a lot about lately. If the attacker wasn't innovating around our protections, conversely, what reason do we have to innovate on our end?"

well, i wasn't thinking so much about the potential for use to lose our purpose (though i suppose there's a 'neo vs. agent smith' aspect to it) so much as just the inevitability of each side finding ways around what the other side is doing... it's not a failure on our part that allows the bad guys to find counter-measures, it's just sort of the way the world works...