Computer systems are complex, and the complexity has been at the point for quite a few years now it’s impossible for any one person to understand ‘everything’ about any given system. There will often be people with a good understanding the ‘building blocks’ but it’s pretty much impossible to understand all the detail of the code, libaries and platforms it depends on.
Complexity has massive implications for the security of computer systems. If no-one understands a system how can you have any surity that it’s secure? The developers of the system will have tried to design for ‘known’ security issues, and tried to assemble the ‘building blocks’ in such a way they are secure but as they aren’t full understood it’s highly likely there will be some issues. This is not just an academic claim - if we simply look at the ‘security patchs’ for major building block components like Java, .NET, Windows, Linux - all of which have regular security issues that could compromize any systems built on them. On top of the building blocks, even in a mid size dev team, you will have a mixture of skills and abilities in the team and even with ‘2 person reviews’ security bugs do get through. Add in that many systems depend on services supplied by other companies - things like SaaS, hosting, ISP’s, Certificate Authorities and DNS - any or all of which are critical for security.
With this level of complexity, it becomes impossible to prevent all vulnerabilities. This is becomming a larger & larger problem in the real world. We do hear about famous hacks like Yahoo, Talk Talk, Best Buy etc - but mostly they were unlucky. We know from the security patch lists every system up and running (for example) on 1st Jan 2016 had vulnerabilities due to issues in some of the underlying infrastructure components.
There is hope however - although every system was vulnerable, not every system was exploitable. This is a key distinction to make. For example leaving my front door unlocked makes me vulnerable to someone walking into my house and stealing things, however this is not exploitable if I’m at home paying attention. The term for this is defense in depth - where you have multiple, overlapping security procedures. Defense in depth allows for one or more components to fail and still have a chance of stopping the attacker.
If we take an example of credit card theft on the web and how you secure it. A defense in depth metholdogy would suggest you try and
- Protect the connection to the web browser
- Protect the code running on the web browser
- Protect the code running on the server
- Protect the web server/API
- Train developers in secure coding practices
- Implement strong admin controls & audit logging
- Analyse the transaction pattern for signs of fraud
- Analyse the client profile for signs of fraud
All of these on their own is not enough to stop an attack - however combined there is a good chance one (or more) of them will delay/impede an attacker. This can often be enough to stop theft if those alerts are (manually or automatically) monitored.
The challenge with needing to deploy a defense in depth is decide which defense to deploy. The list above in the credit card example is far from exhaustive and it’s hard to choose what to pick. This is where modelling an Attack Tree comes in - with an Attack tree you simply write the goal (steal money) and then list all the ways to do it, and all the ways to stop it as a tree applying scores at each node. Bruce Schneier wrote a great article explaining it back in 1999. This is a very practical methodology to use to explain what protection to use.
Computer systems are extremly complex, and the only way to protect them is with a layered defense, consisting of multiple, overlapping solutions to try and prevent attacks. The best way to decide what you need is an Attack Tree, rigourous attack tree modelling gives you a good way to decide which attacks are feasible if a single security defense fails, and which are well protected by multiple layers of defense. Unfortunately very few systems today are modelled with attack trees to consider the threat level and instead many people rely on ‘tick box’ security which is dangerous as is does not address all the threats, or assess the risk of someone making a mistake (and you can guarentee people sometimes make mistakes).