Prevention Always Fails, Detection is a Must

Many people believe that when they buy a brand-new computer, it was designed and configured with security in mind, but it wasn’t. It was designed and configured with usability in mind. Computers are either usable, or secure. They cannot be both, no matter how badly you want them to be. Security is a sliding scale with usability on one end and security on the other.

Secure configuration of your computer is preventative. You are trying to prevent threats from causing harm to your computing assets. The ways a threat can cause harm are called vulnerabilities. Bugs in software are one example. Things that reduce vulnerabilities are called “controls”. A software patch (or update) is a control to reduce the vulnerability of a software bug.

You can think of it this way. It’s not unlike putting in a chain link fence (the control) to keep the javelina (the threat) out of your garden (the asset). You are not naïve enough to think the fence will keep tiny birds off the peach tree. That’s not what the fence was designed for. So you add a different control designed for birds. Many people will place a large fake owl close by. It’s a deceptive control to fool the birds into thinking a predator is lurking.

You have installed controls on your house to reduce the vulnerabilities a burglar might use to break in. Locks on the doors and windows. But a determined burglar can still get in if they have the opportunity. You may have installed motion sensors to alert the police in the event of a break-in. That’s a detection control to further reduce the vulnerability your preventative controls may fail to mitigate.

When you were little, your mom made you wash your hands to prevent you from getting sick. Washing hands is a preventative control. When you DID get sick, your mom put her hand on your head to see if you had a fever. That was a non-so-accurate detective control. If you felt really hot, she may have used a thermometer to get a more accurate reading. Your computer comes from the vendor with some detective controls about as accurate as your mom’s thermometer hand.

In the face of an advanced threat, prevention always fails. Eventually. Like washing your hands. You should consider installing some detective controls to alert you when they have.

Prevention and detection are not your only recourse. You can get out in front of this dilemma by introducing a deception control. As an example, every time you visit a website, your browser announces to the web server a tremendous amount of valuable information, namely, what browser, and what Operating System you are using. This is usually enough information for a threat to deploy an attack. But you can change your browser settings to lie about it. Then when you visit a compromised website, the threat will deploy the wrong attack. This deception technique isn’t 100% foolproof, and it may cause some of your favorite websites to not display properly, but it’s something you should look into.

Your mom had a thermometer on hand as a detection control because she knew hand washing would fail to prevent illness eventually. For your computer, antivirus and firewalls are prevention controls that eventually fail. Without detection you’ll never know when they have.