Skip to main content
Why there are still breaches explained with a dam metaphor.
October 3, 2016

Why Data Breaches Still Happen

Video Transcript

All this is a dam and it's my metaphor for security. Sure, it's a bit overused and simplistic, so work with me.

A dam is used for more than just pooling water or preventing flooding, it's also used to reclaim land, provide a fresh water supply, generate electricity, just like business level security is more than just preventing against attacks or protecting assets. It's also used for maintaining quality, creating efficiency, assuring accuracy. Basically, too much flow is bad and too little flow is bad when it comes to your operations.

It's not easy to build such a thing. The number of variables you have to get right are huge. You have to worry about the water eating away at the dam. You have to worry about the ground that the water is sitting on. You have to worry about the types of rocks you use if you wanna make sure that you're not poisoning the drinking water or ruining the generators that are generating the electricity with minerals, which is the same in security. That's why when you wonder, "why are there still breaches?" The answer is complicated. No, sorry, security is complicated, the answer is pretty straightforward. The answer is because security is complicated. The sheer number of variables you have to deal with: the environment, the changing of people, the changing of technologies, the changing of programming languages used to build applications. Things are changing and broadening and there's always more choices and more things to think about and more interactions, which makes security more and more challenging, which is why there are still breaches.

It's a big job, which is why a general contractor couldn't do something like this. It's the same thing with security, you need a specialist. You can't just have a general security practitioner build and create this kind of security. Perhaps maintain it, but not build it.

Which brings us to problems. Now, a small problem, a small leak can lead to bigger problems pretty quickly. Of course, you can patch, but it's never gonna be seamless. That means it's going to always be differently exposed to sun and rain and other elements. Now, it's the same in security. You can patch, if you're fast enough and if you know what you're supposed to patch, meaning there's no zero-days, you know what you're doing, but this leads you into the attack surface paradox. The more that you actually try to secure, the more technology, the more software, the more development that you're doing leads you into more problems, more things that can be attacked.

Maybe one of the reasons why we still have breaches is that the security industry can't define security, which means it has to be something relative. Now, I don't know how many professional security physicists can't define physics. None, I answered that for you. Which means that security has to be something relative, like happiness. You can be happy, you can maybe be completely happy, 100% happy. And if you double that you're 200% happy, what's that like? So if security is relative, that means it can never be universally 100%, which is why you would still have breaches.

To quote the Open Source Security Testing Methodology Manual, the OSSTMM, "security doesn't have to last forever, "just longer than anything that might notice it's gone." So maybe we still have breaches because in this physical universe order and control constantly decreases, things get more chaotic. In which case, security is going to constantly decrease. So even if you can find 100% security, it would only be for a moment, a fleeting microsecond, and then it would start decreasing all over again. So basically, even if you find it, it's gone. And so, no matter what we build or define, our physical universe makes it impossible for us then to have security. But that doesn't mean we shouldn't keep trying.

Pete knows how to solve very complex security problems. He's co-founder of the Institute for Security and Open Methodologies (ISECOM). He created the international standard on security testing and analysis and Hacker Highschool.

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.