What does it mean for something to be “secure”in cybersecurity? Presumably, it means that a system is protected from 100% of the bad things that can happen to it. Is 100% protection realistic? Is it even possible? Unfortunately, the only way to prevent 100% of the bad stuff is to also prevent 100% of the good stuff. In other words, turning off your computer, eliminating human interaction, and locking down the system1. The reasons for this disappointing reality might be more complex than you expect.
One of the biggest issues with trying to achieve “total security” is the rapidly evolving technology and the threats that spring up to take advantage of it. Threats emerge with every new software program, mobile device, and other high technologies and it takes time to develop defenses that protect against them. New technologies are never perfect and their errors bring new unseen vulnerabilities, thus creating a perpetual cycle where innovation is inherently met with new exploitations.
Human behavior is another reason why aiming to obtain total security is not possible. A good portion of the hacking that happens today exploits a technology that is fine by itself but is not used correctly by users2. For example, no matter how secure a system password component is, weak passwords, reuse of passwords across sites, or sharing passwords with others destroys the security of the system. Another good example is updating the software on systems. When a vulnerability in a program is found the vendor will typically release an update to fix it. But if the humans running the system don’t apply the update, the system remains vulnerable. This happened with the Equifax breach, for example.
Another reason why security is hard is because of certain truths baked into the mathematics of reality. For example, it has been proven that a computer program cannot classify all other computer programs. In other words, there will never be perfect security software that can perfectly tell whether a program is a good one or a bad one(e.g, ransomware or spyware). This means that the bad people who write evil software and the good ones who try to stop it will always be in an arms race.
In this blog post, we have only talked about what we can’t do. But don’t be depressed or discouraged! The good news is that there is a lot that we can do! Crimson Vista aims to empower and enable consumers and organizations to better navigate the digital seas. In our next blog post, we will talk through some of the tricks that can significantly increase security posture even if perfect security is not a possibility.