On security as a spectrum, attack vectors, and how people who don’t understand security focus on the wrong things
Imagine there’s a house you are trying to protect, with a large front door. What is the front door protecting, and who is it protecting these things from? Perhaps it’s in a rough area of town, and you went out of your way to purchase a triple deadbolt, upper- and lower-locks, and an alarm system. No matter what you do you’re mostly operating under the false pretense of security. Any measure you take will only deter a specific subset of people, there’s no one thing you could do to fully protect your front door. No matter what, if someone was motivated enough, they’d find a way in.
Security is a spectrum. You know that your triple-deadbolt door will probably keep out a petty thief, but would it deter the fire department? A SWAT team? Probably not. If the party on the other end of it is determined enough and has enough resources, your door can be broken down.
Cybersecurity can be thought of as the same as your door, and your house as your public facing website/data/API. There is no one algorithm, one program, or one solution that will make you completely safe. There is simply no one right way. It’s all about the levels of risk that you want to assume. The question you need to answer is not:
Does this completely protect me?
but instead should be:
To what extent should someone have to go to access my information?
This seems counter intuitive at first — most people will answer no one, or only a select few people they already know. This way of thinking is not applicable in security though — if simply wishing for something to be protected made it so, there would be no need for encryption, security, or protection in general. You must operate under the assumption that there will always be parties dedicated enough to get to your data. What level of risk are you alright with?
If the NSA wants access to your data, there is (almost certainly*) nothing you can do about it. They do this for a living, day-in and day-out. Whether you choose to run with pbkdf2 for your password storage or unsalted-MD5, you’re asserting that you accept a level of risk. It’s not guaranteed that pbkdf2 will secure your users’ information — and even then, attackers will take the path of least resistance.
*Yes, you can probably come up with a scenario in which you have some set of information that you could protect from the NSA. This article is assuming a publicly facing website/data set that has multiple attack vectors, not personal security/drives. An 8096-bit Truecrypt drive that is only connected to a local network, with keys stored entirely in memory is outside the realm of this article.
Your “house” has multiple points of entry
Imagine that your well protected house also has a back door leading to your backyard. This door is merely a screen door, with a wooden spring keeping it closed. Why would an attacker go through your front door, when they could go through the back door for a fraction of the effort?
Security works in much the same way. Attackers, just like burglars in real life, will go through the path of least resistance. These various methods of entry are attack vectors.
You can have a high-entropy, large-keyset password store that will deter many, but forgetting to close port 22 and leaving your root credentials at admin/admin for SSH renders that useless.. They were able to accomplish their end goal by going about it a completely different way. Just like the petty thief would just hop over your fence and go in the back door, inexperienced cyber criminals can get access to your data even if part of your system is extremely well defended.
It is uncommon to create a system that has only one attack vector. Most complex business applications (especially those that embrace the 21st century, with the cloud, 2FA, live document syncing, backups, and more) will have hundreds of attack vectors. Each one of these can be seen as a door into your data — some admittedly less severe than others — but the analogy remains. You cannot only focus on hardening one entry point, you need to think about the wider scope and minimize the amount of entry points instead, making sure that they are all up to an acceptable level of risk.
Now don’t take this to mean that you will be hacked — rather, it means that there will always be someone out there with the ability to hack your system. You just have to decide what level of security your data warrants, and what level of risk you find acceptable.
More to Security
There’s a lot more to security than is mentioned here, but step 1 is always to have the right frame of mind when approaching the topic. It’s nearly impossible to have a complete understanding of your security system if you are still focused on completely securing your system against everyone — it’s a naive point of view that has been consistently proved wrong, usually at the expense of your users data.
Author Note: This was meant as a fairly basic introduction to security through an easy to understand analogy. It’s primarily focused towards those not in the security field, and takes a lot of simplifications and abstractions. Any questions, corrections, or concerns can be addressed to firstname.lastname@example.org