The Fallacy of Perfection

This is one of those posts stating the obvious. At least, it's obvious to those who are in the know. If you're not in the know, it may not actually be that obvious.

The environment security professionals and technologists operate has changed dramatically from that of five or ten years ago. Where once we used VMs on-prem, we now use cloud instances. Where once we used OS images to ensure consistency of application builds and control baselines, now we use infrastructure-as-code and containers (where we can, of course: many systems continue to run virtualised servers or bare metal).

The organisations we serve are also changing. Whether you're in the public or private sector, the needs of organisations morph over time and with them the way they do things or the things that they do. This means more technological change since virtually every modern organisation is heavily reliant on IT.

And so in the technology space, we see applications being changed, systems being added, and our technology estate growing (very rarely do they shrink, of course, as the status quo usually needs continual support while new systems are brought in, and turning systems off is risky). With more and more systems comes more and more complexity: networks grow, firewall rules are added for new applications, VPNs are added for remote working, direct links perhaps for the cloud, and so on. The software picture also expands in complexity: more patching, more configuration management, and more attack surface to monitor and minimise.

The classic view of security, and the word "secure", is a castle. Nice high walls, solid gates, a wide moat. Something that looks the part and keeps your classic attacker out. If the enemy is perceived to be stronger, the walls must be built higher, or thicker, ad infinitum. The enemy is always outside, and our safe assets and trusted people are always inside. The "castle" may be represented as a network with a firewalled perimeter, an identity domain with an authentication token denoting your in-or-out status or something else.

This model, which aims for perfect defence, is impossible to reach cybersecurity. It just is.

Whereas castles were built from stone, technology defences are built using bits and bytes whose state is fluid: configurations are updated, the software is patched, and the attacker can subvert bits and bytes too. They can also subvert the people operating the defences, as in phishing and other social engineering attacks. Add that to the ever-growing size and complexity of what you're defending and the fact the business needs to be able to move data around.

The obvious point I'm making is this: "100% secure" is impossible and impractical. If that's what you're aiming for you are wasting your resources trying to reach it.

Instead, aim for adequate security. "Adequate" means we protect the business from enough risk without going overboard, and of course what counts as "enough" will vary between, for example, a nuclear power station and an e-commerce business. The point is, rather than the security team solely defining the requirement of how secure we must be, the business must also have a stake in the decision, as it funds security and feels the impact (or not) of any gaps.

We need knowledge about our own systems and business. What risks does the business face if a particular system is compromised? What could attackers stand to gain by attacking our business? Some systems and even businesses in this context have very little interest to an attacker.

We also need to know our weak spots. For those systems that *do* carry consequences if they suffer a successful attack, where are their vulnerabilities? Are they configured correctly? Are they hosted on a secure network? Do they require authentication? And so on.

The central theme here is a risk. Risk is the likelihood of something bad happening, and the impact that would have on you. To answer that question we draw on the knowledge above: what the attacker is doing, what they are attacking, what that could mean for our business, and what security weak spots it has.

Security is not about perfection. In a world of ever-growing complexity and overworked security teams, perfect is most definitely the enemy of the good.

To find out more about how to easily quantify cyber risk in your applications and technology infrastructure, read my other posts here on Threat Modelling, which forms a framework that delivers consistent results in a format everyone can understand and use a method that boosts security awareness in your organisation all at once.

Latest Articles

Nine steps to nailing an audit report

January 12, 2023
While not a pen(etration) tester myself I’ve worked with countless pen testers and teams over the years for my clients,...

How to Think About Risk

February 9, 2023
Risk is at the heart of security. All security decisions are a tradeoff between business risk and investment in making...

How Secure is your AWS environment?

Take 2 minutes to complete my AWS Scorecard to find out.