Can You Mitigate Against Mission Impossible?
We spend a lot of time thinking about and trying to mitigate attacks that are so extreme you are basically already doomed if they are ever used against you. My recent SecurityWeek article was inspired by an experience I had back in the 1990’s. I was involved in a discussion about how an individual could deal with Van Eck monitoring, where an attacker captures the contents of your screen from outside the building. My take was that if your opponent has a surveillance team in a van full of special equipment parked right outside your house, your only realistic option is to run and never look back, in hopes of starting a new life elsewhere. Perhaps this scenario is a bit dramatic, but it illustrates an important point.
Protecting yourself against Mission Impossible-style attacks is, well, impossible
Protecting yourself against Mission Impossible-style attacks is, well, impossible, as there are ways to get around every defensive move you make.
More recently, I have seen this kind of error surrounding facial recognition on phones. It feels like almost daily that a security researcher somewhere comes forward to demonstrate how they were able to make a realistic mask that can fool the biometric reader. While that is a possible attack, anyone who could do that can also watch you type in your passcode, or simply grab the phone out of your hand while it is unlocked. Those are both much simpler, less expensive, and more common attacks, yet too many of our security priorities are targeted on preventing more doomsday-like approaches. In my mind, the facial recognition capability is already far from being the weakest link in your phone’s physical security.
It is often failures in security basics that take down major organizations
Once we realize that those attacks, and more importantly those kinds of attackers, are effectively impossible to mitigate, we can spend our limited time and money focusing on more realistic and manageable scenarios. Let’s face it, few organizations are even covering all the basics, so effort spent on the super-attacks is wasted if easier vulnerabilities are still available. It is like putting a vault door on a cardboard box. Mitigations like multi-factor authentication, password managers, patching, backups, VPNs, disk encryption, and logging are all far more likely to cause damage to an organization and could be used by any attacker, not just the highly resourced ones. Despite the excitement surrounding flashy attack methods, in practice it is often failures in security basics that take down major organizations.
So, take a deep breath and relax. There are situations where you are simply doomed. Focus on the other countless manageable vulnerabilities that you can control and protect against.
You can read my full SecurityWeek article here.