I assume that it's always possible to compromise our security somehow

November 9, 2016

It can be very easy to get into a stark, binary mindset when you think about security and security issues, one where anything that introduces a potential insecurity must be resisted with full force. This mindset is a mistake, because real security almost always involves tradeoffs and a balance of risks, but it can be easy to find yourself in it. One of my tools for resisting it is to always assume that we can be compromised by a determined attacker who is specifically targeting us.

This sounds silly and obvious and surely everyone does it, but for me its power is in turning a binary situation into one with shades of gray. Instead of the introduction of a potential security issue taking us from 'totally secure' to 'potentially vulnerable', the question becomes whether this will introduce a bigger or worse vulnerability than we already have, or whether the exposure it adds is probably mostly theoretical because real attackers will just pick on a more easily accessible weak point.

(You can flip this around when considering security measures to add to your environment. Are you reinforcing something that an attacker is already not going to bother with, or are you shoring up a current weak point?)

Or in other words, the question is not 'could we be attacked through this' (because the answer is very often 'yes, in theory'), the question is 'will we be attacked through this' or the closely related one of 'how much easier have we just made the life of an attacker?'

(Of course, there are reasons to not add even low-likelihood weak points. A target rich environment with a bunch of weak points helps attackers, since they don't have to work very hard to find something to attack. But you are presumably getting something from any potential new security exposure, so you can balance the gain against the extra security risk.)

At the same time, I want to throw cold water on myself here. That something is a security tradeoff and the security exposure it introduces is low and attackers will target something else can be a convenient excuse for ignoring potential security issues in something I want to do. Security inevitably involves not doing things, and when I want to do something it's tempting to find a way to justify it (and I may not realize that that's what I'm doing).

Comments on this page:

There is a nuance to this that is sort of implied in your phrasing but it’s unclear to me how much you are specifically accounting for it here.

Namely, attackers aren’t going to have perfect knowledge of your vulnerabilities, so in a narrowly local sense, increasing your exposure has some of the nature of a binary secure-to-insecure transition: some attackers would not have found your much more easily exploited vulnerabilities, but will now find this one. And we’ve been seeing a trend of attackers chaining vulnerabilities together more.

Basically, while the risk calculus is never binary, it’s also highly non-linear. The question isn’t simply “how much does this increase our exposure”, but something more akin to “how much does this amplify our risk through other exposures (not just current but also unforeseen future ones)?” Much as in performance, it’s at best hard to reason about the behaviour of the system as a whole. So absolutism is not helpful, but conservatism is advisable.

Written on 09 November 2016.
« Security often involves not doing things
Getting a Yubikey 4 working on Ubuntu 14.04 LTS and other older Linuxes (in PIV mode) »

Page tools: View Source, View Normal, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Wed Nov 9 00:04:26 2016
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.