With the reports of yet another MASSIVE data breach of Facebook, it’s important to understand the true nature of security: it’s not a thing… not a binary ‘secure or not secure,’ but a process. It’s not something you have or get — it’s a thing you do and keep doing as time and the world evolves.
Like a Heist Movie
If you’ve seen any of the Ocean’s movies, or The Thomas Crown Affair, or the Halloween episodes of Brooklyn 99, you know that many things are built up as being “impenetrable” but are then broken apart as a series of small flaws, and then exploited perfectly in series to get the thief their prize. Real world security works the same way. There’s a reason banks run their security cameras at night: they know that their locks are good, but not perfect. Also, most banks have easily breakable windows and aren’t directly next to police stations. Every system has flaws, and that extends to the Internet as well.
Plug One Leak
Software is often viewed as a monolith, but it’s really like a clock or a car engine, with tons of small pieces. And like engines, they’re mass produced, often under strict time pressure to get results. This, coupled with the fact that software is written by people, and thus is impossible to make perfect, means there are always flaws. There are countless stories of bugs getting fixed only to create worse bugs down the road that are harder to fix, until finally there are massive rewrites or other changes. Every update fixes problems but probably also creates new ones.
Zero Day
There’s a term in cyber security called a “zero day,” which describes a vulnerability in hardware or software that hasn’t been widely disclosed to the public or the creators of the software. These are the exploits that some hacker, group, or government figured out but are keeping hidden. Zero Days for major things like Windows or phones are worth tons of money, because the longer it remains hidden and not fixed, the more the attackers are able to use it on valuable targets. There are entire companies whose businesses are acting as brokers of these vulnerabilities, buying them from less-than-ethical security researchers and lone hackers for tens or hundreds of thousands of dollars, and then licensing them to governments or law enforcement agencies for millions with the promise that they’ll keep it secret and exclusive. It’s rumored that an Israeli security company has secret methods for unlocking iPhones and other devices, which they performed for the FBI to unlock the San Bernardino iPhone Needless to say, there’s a LOT of money in finding the mistakes in software.
A Process
Security is not a state. You can “secure” things, and things can be “secured” or “unsecured,” but the entirety of a system is impossible to secure. If you wanted to make a computer impossible to hack, you’d line it with lead, submerge it in concrete, and dump it in the ocean. That would be secure, but impossible to use. Security is the process of finding the balance between things that make something less vulnerable and more unusable and easier to use but more likely to have flaws.