Why the current computer security paradigm is analogous to fixing a leaky dam
I’m always trying to find new and innovate ways to explain the realities of computer security and hacking to people. It’s not that easy. Many people’s perspective and ideas are “hard coded” into their minds, so they are very resistant to accepting new ways of looking at the problem. I hope you’re not one of those people.
I’m sure everyone recognizes that a leaky dam is a problem. When a hole appears, it needs to be fixed. The people maintaining the dam will come up with innovate ways to prevent leaks, such as self-sealing coatings or reinforcing certain weak spots. But water is very powerful and sometimes a hole appears despite these measures. Those maintaining the dam will implement a special leak detection system and hire a staff to monitor the system 24 x 7, so they can respond to leaks in an expeditious manner, to prevent a leak from getting bigger. But the bottom line is that leaks are still developing. Countless time, money and effort will be spent trying to prevent, detect and fix leaks, but does anyone ever stop and think that perhaps they are going about solving the leak problem in the wrong way?
Do you know what the people in my example are doing wrong?
The problem in my example is not really the leaks, it’s the dam itself. The dam wasn’t engineered or built properly, so it leaks. Everyone accepts the fact that the dams leaks, so all the countless time, money and effort spent addressing the leak problem is justified. The way to solve the leak problem, is to re-engineer and/or rebuild the dam. But wait a second… All the people who engineer, build and maintain dams will tell you that it isn’t possible to develop a leak proof dam. Really? Is that the ground truth? Is there no one in the universe that can engineer and build a leak proof dam?
People are spending countless time, money and effort trying to secure computer systems. They purchase all kinds of “bolt-on” security and monitoring tools in an attempt to prevent, detect and respond to compromises. Sometimes these things work, but mostly, they don’t. Are we really going about solving the computer security problem in the right way? I don’t think so.
Are you not convinced that what I say is true? Want to learn more about why we’re going about solving the computer security problem in the wrong way? Read my book!