Can You Mitigate Against Mission Impossible?
Focus on the Countless Manageable Vulnerabilities That You Can Control and Protect Against
Back in the 1990’s, I was involved in a discussion about how an individual could deal with Van Eck monitoring, where an attacker captures the contents of your screen from outside the building. My take was that if your opponent has a surveillance team in a van full of special equipment parked right outside your house, your only realistic option is to run and never look back, in hopes of starting a new life elsewhere. Perhaps this scenario is a bit dramatic, but it illustrates an important point. We spend a lot of time thinking about and trying to mitigate threats that are so extreme you are basically already doomed if they are ever used against you. You can’t mitigate against Mission Impossible-style attacks, because whatever you try to prevent, they always have another way of getting at you.
More recently, I have seen this kind of error surrounding facial recognition on phones. It feels like almost daily, a security researcher somewhere comes forward to demonstrate how they were able to make a realistic mask that can fool the biometric reader. While that is a possible attack, anyone who could do that can also watch you type in your passcode, or simply have a goon grab the phone out of your hand while it is unlocked. Those are both much simpler, less expensive, and more common attacks, yet too many of our security priorities are targeted on preventing more doomsday-like approaches. In my mind, the facial recognition capability is already far from being the weakest link in your phone’s physical security.
Some other too-big-to-mitigate scenarios would be: surveillance attackers with universal global network visibility, attackers who control a majority of all Tor nodes, or stuxnet style malware written just for you with multiple zero day vulnerabilities. Typically, these attacks assume a major nation state actor highly focused on your organization. Super-resourced and motivated attackers always have more than one way to get at you. There are always more methods of attack available to these kinds of adversaries than can be plausibly considered or mitigated. For the typical organization, this is like being attacked by the Borg, “Resistance is Futile.”
Once we realize that those attacks, and more importantly those kinds of attackers, are effectively impossible to mitigate, we can spend our limited time and treasure focusing on more realistic and manageable scenarios. By realizing that we are doomed in the face of the monster attacker, we are free to reallocate our efforts where they will really matter. Let’s face it, few organizations are even covering all the basics, so effort spent on the super-attacks is wasted if easier vulnerabilities are still available. It is like putting a vault door on a cardboard box. Mitigations like multi-factor authentication, password managers, patching, backups, VPNs, disk encryption, and logging are all far more likely to cause damage to an organization and could be used by any attacker, not just the highly resourced ones. Despite the excitement surrounding flashy attack methods, in practice it is often failures in security basics that take down major organizations.
To illustrate this logic, consider that I don’t spend any time trying to mitigate against assassins attempting to hack the electronic controls of my car. Far before that, I should start investigating a mitigation for an inexpensive hitman with a rifle, a far more likely scenario. There is a useful concept in cryptography called “rubber hose cryptanalysis,” which simply means beating the password out of someone who knows it. It is cheaper and faster than brute force cryptanalysis almost every time.
There are cases where this does not apply. If you are part of a global evil organization like SPECTER, then you can expect 007 type attacks and would need to try to mitigate them. If you are running a weapons-grade nuclear enrichment program, then you can expect massively resourced nation-state attackers. However, it is not worth dealing with the complex movie plot attacks if you effectively left your doors unlocked.
So, take a deep breath and relax. If there are situations where you are simply doomed, don’t worry about it. Just focus on the other countless manageable vulnerabilities that you can control and protect against. Then at least you are secure against conventional threats, unless and until the nuclear cyber bomb falls on you.