Fallacy #4: The network is secure
There are a myriad of security-obsessed organizations scattered throughout the world that take security concerns to the verge of paranoia.
In one such organization I've heard of, there existed two separate networks. Everyone had two computers without external disk drives of any kind. Inserting a USB drive would not work, and trying to use one would instantly alert the sysadmins that a workstation was compromised. To get data from a different network, you needed to browse in a separate room, as workstations did not have access to the Internet.
Once you found the data you needed, you could download it to a floppy disk and then hand the floppy over to a sysop. The sysop would copy the contents to a mirror folder, which would analyze the contents with every virus scanner imaginable before mirroring them to the development network. But that sync only occurred once per hour.
Paranoid? Maybe. If you're just selling widgets on a website, then probably. But if your organization is working on defense contracts or controls critical infrastructure like electrical grids, perhaps the paranoia is justified.
The only truly secure computer is one that is disconnected from any and all networks, turned off, buried in the ground, and encased in concrete. But that computer isn't terribly useful.
Unfortunately, security tends to be one of those areas that goes completely overlooked until it's too late.
Check it twice
We have best practices and checklists, but all too often, these go unfollowed. The OSWASP Top 10 shows us what some of the most common threats are and how to mitigate them. It's very sad that, in this modern era, the vulnerability at the top of the list is a simple injection attack, which is trivially avoided using parameterized database queries.
The bigger problem is that our understanding of the types of threats we are under hasn't evolved very much. By their very nature, our systems are fundamentally exposed, and we start from a position of weakness. Some major attack will hit the news, and then we'll update our best practices to deal with that threat, but it's impossible to be prepared for everything. The attacks will come. It's not a matter of if but a matter of when, and we simply don't understand the amount of computing power in the hands of attackers.
Because of this, the conversation needs to change. We can guarantee that specific security holes will be plugged, but we can't guarantee 100% security.
What have we got to lose?
We need to perform a threat model analysis on our system. What are the possible consequences of a breach? We could be talking about losing competitive advantage, being sued and losing our reputation, having sensitive financial or health data leaked — or we could be talking about hackers seeing our pictures of cats. If someone were to get access to our data, how much would it be worth to them, and how much would the loss mean to us? Based on that, what is their incentive to attempt to hack us? What resources can they marshal to perform that attack? How much will it cost to protect ourselves against it?
After we analyze the threat, we need to bring this to the attention of business stakeholders. Include the public relations department. When the system is breached, who is going to talk to customers? Who is going to talk to the press? What are they going to say? Bring legal in as well to help determine the ramifications of exposure under these circumstances. Perhaps the end-user license agreement (EULA) can be modified to mitigate some damage.
Hopefully, an attack will never happen, but it's good to be prepared.
Attackers won't hesitate to spend thousands of dollars to breach a system if they stand to gain millions. That's just simple economics. But they may not even have to. With LinkedIn, it's easy to find out who your organization's database administrators (DBAs) are. An attack could be as simple as applying social pressure to a DBA to get them to "misplace" a database backup. If that occurred, would you even notice?
Ultimately, ensuring a high level of security is a large cost, and it's all about tradeoffs. We need to have an honest conversation about what those tradeoffs are.
Security in our software. It's hard, it's expensive, and it's complicated by the fact that attackers are always one step ahead of us. Attacks will occur. Sometimes we will win the day. Sometimes we will not be so lucky. Breaches will happen, despite our best efforts.
While we need to do our best to follow our industry best practices for security, we also need to have conversations with business, public relations, and legal teams so that the risks are well understood and to ensure that a plan is in place if a breach occurs.
Because it's not a matter of if, it's a matter of when.
About the author: David Boike is a developer at Particular Software who sometimes forgets to lock his car doors when he parks on the driveway.