The Perfect Software Security – An Unattainable Holy Grail

Conflict is as much a part of human nature as much as eating and sleeping are. It’s an software security attack defenseinstinct, embedded deep into the primordial, animal side of our brain. And in every conflict there are two sides: the one that is attacking and the one that is reacting to that attack. The side that adapts faster is the one that wins.

Attackers will set an objective for themselves and they will probe and prod at their victim’s defenses until they punch through. In turn, defenders need to anticipate the attacker’s goal and focus their efforts and resources in to preventing the attacker’s success. It a good old fashion arms race and these basic mechanics of combat are the reason why attacking is considered far easier than defending.

Attackers benefit from being mobile, on a fundamental level, and need only to deal with the present and the obstacles the defenders have provided. As a stationary element however, defenders need to employ foresight and to be able to anticipate the moves of the attackers.

(Do not mistake attacking and defending with being offensive or defensive, however. A castle siege or a trade embargo is a defensive tactic for an attacker while a sortie can be an offensive move by defenders. This doesn’t turn the tables and is doesn’t change the fact that the defenders are still protecting something and that the attacker are trying to get to it.)

Defenders need to identify where the attack will be focused, figure out the attacker’s goal so that they can base their plans to counter these goals. They are attacking because they want something you have, and you can use this to your advantage. This goal is what makes them predictable.

If they attack your residential area, you build a wall. If they target your gate, you make a drawbridge. If they use archers, you sortie light cavalry and eliminate the threat. You read their movements, recognize their patterns, and anticipate their attacks.

But what do you do when they don’t have an objective? What do you do when they don’t want anything from you? How do you fight an irrational enemy?

These combat mechanics apply to everything, including the digital world. Hackers are the attackers and you are the victim. The main goal of a hacker is to either obtain money -directly through his attack-, or a product of value, usually information. In turn, you use their goal to defend yourself.

They target your money directly, so you use advanced encoding algorithms to safeguard your bank accounts and banking transfers. They target login access credentials for you or your clients so you defend that information with elaborate passwords, physical authenticators and security questions. You anticipate what parts of your company hackers are targeting and why, what their objective is and you concentrate your efforts and focus your resources to strengthen your guard.

But what do you do when they don’t want anything? What specialized security measures to you employ when you are subjected to a cyber-attack that doesn’t have a goal? When the hacker doesn’t want to steal your money, doesn’t want to steal your information and has no goal in mind when he begins his attack? To us, this idea is absolutely ridiculous. After all, what is the point in to breaking into somebody’s house if you’re not going to take anything? We are a rational, pragmatic, mercantile society and we use these values to govern our actions.

But some people out there have more imagination. These are the attackers that today’s digital security specialists are having the hardest time dealing with.  Without a point to focus their defense around, IT specialists are unable to predict an attack pattern. All they can do is wait for the attack to occur and try to handle it in real time, while it occurs. This is the main reason why there is no such thing as a perfect defense system – these wildcard intruders.