Why cyber security is hard?

  • The data is massive and attacks are scattered. All analysis and detection have to be done real time on multiple devices from multiple sources.
  • Done by human experts. And guess what? NSA found that inappropriate or incorrect software security configurations (most often caused by configuration errors at the local base level) were responsible for 80 percent of Air Force vulnerabilities.” — CSIS report on Securing Cyberspace for the 44th Presidency, Dec. 2008, p. 55
  • When human involved — they have a tendency to convince themselves that they have thought of every possible scenario and they can sit back and relax.
  • Security is often an afterthought. No-one builds a digital system for the purpose of being secure. They build digital systems to do something useful. Security mechanisms may be viewed as a nuisance to be subverted, bypassed, or disabled.
  • Security is meant to prevent bad things from happening; one side-effect is often to prevent useful things from happening. Companies often times tradeoff security to other important project goals: functionality, usability, efficiency, time-to-market, and simplicity.

In conclusion, security is “target-rich” environment comprising: hardware, software, storage media, peripheral devices, data, people, assets. Figuratively speaking “If one overlooks the basement windows while assessing the risks to one’s house, it does not matter how many alarms are put on the doors and upstairs windows.”