If there's one security lesson that can taken from this FBI versus Apple surrealistic encounter, it's that security redundancy is truly important. We're talking multi-layered security, where any one or two layers can completely fail and security is still maintained. Why? Let's look at the latest in the FBI-Apple encryption dance. And if any of you bought into this "this Apple fight is over" rhetoric, you haven't been paying attention.
The upshot of the battle: The most secure consumer-grade smartphone in the world—the iPhone from Apple—thwarted all FBI attempts to easily break into the phone, in an attempt to find out more about terrorist. Making the case even more interesting is the fact that the phone's owner—which happened to be the county government where the terrorist worked—also wanted the contents opened. With all that going for the government, Apple stood its ground on security and refused to weaken the security for everyone to help with this case.
You want to break in, go for it, but we're not going to hurt everyone's security solely to make it easier and cheaper for you to do so.
What the FBI wanted was a low-cost/low-effort method so that they could cost-effectively break into an unlimited number of phones in the future. Apple's response was, in effect, "You want to break in, go for it, but we're not going to hurt everyone's security solely to make it easier and cheaper for you to do so."
Once it became clear that Apple wasn't going to budge and that the federal courts were unlikely to force them to budge, the FBI, according to NBC News, simply turned to a well-known security firm in Israel, Cellebrite, which has been publicly breaking into iPhones for years. Cellebrite details its approach on its Web site publicly, even including a video to show how easy their extraction methods are to use.
It has been argued by others—including this wonderful narrative piece in eWEEK—that if the FBI knew of this option (and few in the encryption space didn't), why didn't it go there initially? The truth is that it costs more and takes longer. The FBI is not solely concerned with their own budget and time, but those of other law enforcement operations, especially metro police departments that often begin these terrorism probes.
This brings us back to the security redundancy point. How valuable—to others—is the data you're protecting? If the data pot of gold at the other end of the firewall rainbow is big enough, cyberthieves can justify pouring major resources and time into cracking your systems. No single security method—regardless of how high-end, how enterprise-grade it is labeled—is perfect.
The takeaway from the Apple incident is that true corporate security is less about perfection—which is unattainable—and more about making the cost to the attacker so high that it's simply not worth it. Professional cyberthieves are business people and if your data is worth $100 million on the blackmarket, no professional is going to deploy $200 million worth of effort to get it.
When you're calculating this ROI value number, don't forget that costs to your company—repairing/replacing impacted systems, costs of alerting customers, regulatory paperwork, disruptions to operations, etc.—are not relevant to this calculation. Those are important factors in calculating your company's exposure to a successful databreach, but to the thief, the only dollar-value at issue is how much the data can be sold for. (Just to infuriate you a little more, your team might be the victim and the prospective customer. That would be the case if the attacker holds your data for ransom.)
There's a very old joke about two guys in the jungle who run into a hungry tiger. One of the men immediately starts running and his companion shouts, "You fool! You can never outrun a tiger" to which his friend replies "I don't have to. I merely have to outrun you." In corporate IT, you don't necessarily have to outrun a cyberthief attack. All you have to do is be more resistant than your largest rivals. Cyberthieves, like tigers, have a fondness for easy prey.
For every layer of redundant security you add, you are exponentially increasing the cost and time needed to successfully break into your system while simultaneously giving your own systems more of a chance to detect and alert you to the attack.
A lot of enterprises put too much focus—and trust—on external security systems. Although firewalls and authentication systems are essential, never assume that they will always work. A strong application security strategy—one that assumes that at least some of the bad guys will get through, or sidestep, your outer defenses—is critical. Apple's inner encryption defenses (rules that threatened to block any access attempts if too many unsuccessful attempts were made or if the attempts were spaced too closely) were what slowed down FBI attempts.
Never assume that any security software works. But that none of six redundant systems will work? That's a chance worth taking—and one that no thief likely will.