Skip Navigation
BlackBerry Blog

Unsolvable Security Problems

FEATURE / 03.05.18 / Pete Herzog

While the world’s greatest minds (and high below-average minds) have found amazing answers towards some of the world’s great philosophical questions of life, the universe, and beyond, I think there are still really important unsolved scientific problems that we need to deal with in our daily lives, like security.

Yes, it’s an important scientific problem to solve! I get it that it’s not up there with “are we in a holographic universe like the Matrix?” (science says probably not) and “are we alone in the Universe?” (science says yes but only because all those other civilizations out there don’t like us). But security still has some pretty important scientific problems to solve. And they affect us right here right now. Starting with:

  •  What is security?
  •  How do I make it?
  •  How do I know how much I have?

The security industry has not been able to really agree on an answer to this. Imagine if the plumbing industry couldn’t come to an agreement on what is plumbing. So yes, it’s a problem. And we have a lot of ideas but no proven answers, if there can even be one.

And that’s just the first unsolved problem in security. There’s so many more like:

  •  Is making something harder to do make it more secure?
  •  Does the size of the attack surface affect the overall security?
  •  Does intent affect security?
  •  Can resilience (resisting until failing safely) and continuity exist in the same control set at the same time?
  •  Does defense in depth (stacked or layered defenses) improve security or just reduce the range of assets available in a successful attack?
  •  Does defense in width (broadened control coverage) improve security or just reduce the types of successful attacks?
  •  Does cyberhygiene improve security or just offset risk?

And that’s just a sample. There’s so many things we don’t know because nobody’s researching them. We know more about dark matter than we know about what makes something secure.

But you’re thinking, so what if it reduces risk and limits an attacker then let’s just call it security? What does it matter? It matters because one way is creating something (security) and the other is winning it (risk).

It’s totally like my Aunt Beth, right?!

In case don’t know her here’s the gist: my parents said she had no job but she said her job was her scratch-off lottery tickets and monthly trips to Las Vegas with her gentlemen friends. I figured what does it matter as long as she’s making money. Isn’t that what a job is?

And it’s the same with security. If you’re reducing the kinds of attacks that come through and how much they can take then that’s security. I mean, as long as those other attacks don’t ever show up, you’re doing your security job. Right? At least it feels more secure. And that’s how risk works in security too.

Paint the lines they said. Animal clean-up not my job….

The truth is there’s many things we do because it feels like it’s more secure to do it. That’s why I use the power of crystals on my servers to keep away bad auras. Don’t laugh. It makes me feel more secure just like running automatic patching on my desktop and changing my password every 90 days does - and with just as much scientific evidence. And my feelings matter! But that’s what security kind of is too.

Part of why it’s so hard to answer these things is because security is as much a feeling as it is a thing. So, in some respects it’s like defining and measuring love, if love were both an emotion and a collection of products that could make love, like probably chocolates, perfumes, and Adderall. <Note: Adderall does NOT make love. We are NOT endorsing Adderall.>

Currently there’s two schools of thought for security. One works with security as part of Risk. And get this, some of those Risk people even differentiate between risk spelled with an R (uppercase) or an r (lowercase). You’ll want to party with those people.

And the other school works with security as a separation between an asset and a threat. That means you make sure the threat can’t reach the asset, thereby making the asset “secure”. It’s pretty cut and dry. So, don’t party with those people because they have no imagination. 

The risk school is an emotional one that relies heavily on educated guessing which assures the quality you get is directly proportional to the quality of the assessor's education. And it should be a well-rounded education of security, business, and statistics. Because letting any one of your cybersecurity employees do a risk assessment of your business because they know security is like having a bookie run your ranch because they know the ponies.

Overall though it requires less effort to maintaining security based on risk because it can be easily assigned monetary ratios, something businesses are comfortable with. The most important of that being the ability to offset risk, which means you can either defer paying for something or shift on someone else to pay. For example, passwords.

If I make strong passwords for you to log into our servers, I need to pay for the system to do so and be responsible for it when they are cracked. If I have you do it, and you accept it, then I don’t need to spend money on such a system and the responsibility is yours even if it means weaker passwords because very few people are actually encryption experts who can make perpetually strong passwords for specific systems. But for me, risk problem solved!

Meanwhile security as separation and controls is more concrete and delivers a more lasting and consistent protection. There’s little actual advanced math or business principles involved. However, it requires security analysis experts which are in very short supply. Oh, and this method doesn’t allow you to offset anything, so it’s harder to sell the business people, has an overall higher cost to build, but a much lower cost to maintain. And you are fully responsible for the effectiveness of it. Therefore, you are also solely responsible for your security issues like break-ins. No offsetting or excuses allowed, which is something your lawyers or your board of directors may not like to hear.

So, are we any closer to solving what security is? No. Can we just wing it and do okay? That’s pretty much what a best practice is. So, you decide if it’s been working out for you. Well, not that you can.

Since we are unable to properly measure security we can’t say which system is better - separation or risk, or if a hybrid of the two - is better. We can’t even say what “better” would look like except perhaps in terms of human convenience and satisfaction.

There are ideas of what works better based on empirical evidence, but it’s far too little of a sample to know. There’s almost as many computers on the planet as people, and we don’t have a big enough sample to figure out security? Is that an unsolvable problem too, or do you know how we can solve that?

Pete Herzog

About Pete Herzog

Guest Research Contributor at BlackBerry

Pete Herzog knows how to solve very complex security problems. He's the co-founder of the non-profit research organization, the Institute for Security and Open Methodologies (ISECOM). He co-created the OSSTMM, the international standard in security testing and analysis, and Hacker High School, a free cybersecurity curriculum for teens. He's an active security researcher, investigator, and threat analyst, specializing in artificial intelligence (AI), threat analysis, security awareness, and electronic investigation.