Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Risk Management

Can You Mitigate Against Mission Impossible?

Focus on the Countless Manageable Vulnerabilities That You Can Control and Protect Against

Focus on the Countless Manageable Vulnerabilities That You Can Control and Protect Against

Back in the 1990’s, I was involved in a discussion about how an individual could deal with Van Eck monitoring, where an attacker captures the contents of your screen from outside the building. My take was that if your opponent has a surveillance team in a van full of special equipment parked right outside your house, your only realistic option is to run and never look back, in hopes of starting a new life elsewhere. Perhaps this scenario is a bit dramatic, but it illustrates an important point. We spend a lot of time thinking about and trying to mitigate threats that are so extreme you are basically already doomed if they are ever used against you. You can’t mitigate against Mission Impossible-style attacks, because whatever you try to prevent, they always have another way of getting at you. 

More recently, I have seen this kind of error surrounding facial recognition on phones. It feels like almost daily, a security researcher somewhere comes forward to demonstrate how they were able to make a realistic mask that can fool the biometric reader. While that is a possible attack, anyone who could do that can also watch you type in your passcode, or simply have a goon grab the phone out of your hand while it is unlocked. Those are both much simpler, less expensive, and more common attacks, yet too many of our security priorities are targeted on preventing more doomsday-like approaches. In my mind, the facial recognition capability is already far from being the weakest link in your phone’s physical security.

Some other too-big-to-mitigate scenarios would be: surveillance attackers with universal global network visibility, attackers who control a majority of all Tor nodes, or stuxnet style malware written just for you with multiple zero day vulnerabilities. Typically, these attacks assume a major nation state actor highly focused on your organization. Super-resourced and motivated attackers always have more than one way to get at you. There are always more methods of attack available to these kinds of adversaries than can be plausibly considered or mitigated. For the typical organization, this is like being attacked by the Borg, “Resistance is Futile.”

Once we realize that those attacks, and more importantly those kinds of attackers, are effectively impossible to mitigate, we can spend our limited time and treasure focusing on more realistic and manageable scenarios. By realizing that we are doomed in the face of the monster attacker, we are free to reallocate our efforts where they will really matter. Let’s face it, few organizations are even covering all the basics, so effort spent on the super-attacks is wasted if easier vulnerabilities are still available. It is like putting a vault door on a cardboard box. Mitigations like multi-factor authentication, password managers, patching, backups, VPNs, disk encryption, and logging are all far more likely to cause damage to an organization and could be used by any attacker, not just the highly resourced ones. Despite the excitement surrounding flashy attack methods, in practice it is often failures in security basics that take down major organizations.

To illustrate this logic, consider that I don’t spend any time trying to mitigate against assassins attempting to hack the electronic controls of my car. Far before that, I should start investigating a mitigation for an inexpensive hitman with a rifle, a far more likely scenario. There is a useful concept in cryptography called “rubber hose cryptanalysis,” which simply means beating the password out of someone who knows it. It is cheaper and faster than brute force cryptanalysis almost every time.

There are cases where this does not apply. If you are part of a global evil organization like SPECTER, then you can expect 007 type attacks and would need to try to mitigate them. If you are running a weapons-grade nuclear enrichment program, then you can expect massively resourced nation-state attackers. However, it is not worth dealing with the complex movie plot attacks if you effectively left your doors unlocked.

So, take a deep breath and relax. If there are situations where you are simply doomed, don’t worry about it. Just focus on the other countless manageable vulnerabilities that you can control and protect against. Then at least you are secure against conventional threats, unless and until the nuclear cyber bomb falls on you.

Written By

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Risk Management

A threat-based approach to security often focuses on a checklist to meet industry requirements but overlooked the key component of security: reducing risk.

Risk Management

CISA has published a report detailing the cybersecurity risks to the K-12 education system and recommendations on how to secure it.

Funding/M&A

More than 4,000 internet-accessible Pulse Connect Secure hosts are impacted by at least one known vulnerability, attack surface management firm Censys warns.

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...