An expert on the media once said that when we follow the news on a certain topic, we end up forming a picture solely based on exceptions – as it’s those exceptions that make the news.
That’s no different in security: if you are an avid reader of security news sites – and the fact that you are reading this blog suggests you are – you may have gotten the impression that the Internet is totally broken and that determined attackers and unskilled defenders are each doing a good job at breaking it a little bit more. If you then also talk to security vendors, you may also believe that no product or service is able to fend off attacks – except theirs, of course.
In practice, things are nowhere near as bad.
Security is a process and as long as we’ll have computers and an Internet, we’ll need IT security, just like buildings will always need fire extinguishers and shops will always need mechanisms to mitigate the risk of shoplifting.
When you walk around the Infosecurity Europe floor, attend a security conference or just read the security news, do so while keeping in mind that 100% security doesn’t exist. And if you judge a security solution or service, do so keeping in mind that it’s not going to provide 100% security and that its main purpose is to mitigate threats.
Anti-virus solutions don’t block all malware, but they do a pretty good job at keeping most threats at bay. Spam filters don’t stop all spam, but they do make sure your inbox isn’t flooded with unwanted emails. Anti-APT solutions don’t stop all advanced persistent threats, but they could raise the bar quite a bit.
Even encryption technology won’t be able to prevent an adversary from reading data when it is being stored, or from attacking the endpoints – but it does make said adversary’s life a lot harder.
And there are of course tools and services that are explicitly meant to mitigate the fall-out of attacks that have already taken place.
Perhaps because of the binary nature of computers, many of its users take a binary view of security, in which things are either perfect or, if they are not, they are utterly broken. Thankfully, the real world is a little bit more complicated.
Just don’t expect perfection, but look for what best mitigates the risks for you. That’s not only the least you can do, it’s also the best you can do. Enjoy Infosecurity Europe!
Virus Bulletin blog has been nominated in the third European Security Blogger Awards.
Winners of the European Security blogger awards will be announced on Wednesday, 3rd June 2015 at Olympia London, from 17:30 in the Pillar Hall.
You can vote here (voting closes midnight GMT on Friday 29th May 2015).