There’s a great piece in Mission: Impossible (the relatively recent Hollywood movie franchise starring Tom Cruise not the original TV series many of us remember fondly) where he manages to break into CIA headquarters and with the help of his colleagues steals the NOC list (non-official cover operatives working for the US Government).

While pandemonium ensues at spy central, Tom’s alter ego Ethan drives away in a Fire Engine, his face an expression of steely determination – though also, we suspect, a touch of smug satisfaction. And why not? After all, another seemingly impossible mission (one of many) ticked off and shown, after all, not to be truly impossible. Just very, very difficult.

If only we could say the same thing about information security. Your mission (should you choose to accept it) is to secure all manner of valuable data, residing in any number of systems, devices and who knows where else. Well, many of us in the Security industry have accepted the message (and we’re glad to report it hasn’t self-destructed on us – not yet anyway). But is there such a thing as cast iron, guaranteed, unbreakable security? Is there a way to protect our data knowing there is absolutely no chance it can ever be compromised? Or is that a real mission impossible?

The information security industry’s own CIA is rather less glamorous. Confidentiality, Integrity and Availability. Keep the information secure, ensure it is what it claims to be and let users access it and use it to complete their daily tasks.

Trouble is, there is often a trade-off between security on the one hand and usability on the other. The more we seek to lock down systems, the potentially less usable they become. Effective security is about finding the right balance.

If we put usability to one side, then maybe there is a way to secure data so that it is truly secure. But that’s a hypothetical scenario. In the real world, data that is off limits all of the time, for everyone, never to be accessed and used, carries no meaningful value. Practically, even if we lock down systems to an extreme level – make them virtually ‘unusable’ or at least user-unfriendly – it’s hard to claim they are completely secure. Take the example of air-gapped computers or networks. We know it’s possible to hack these systems, despite their lack of connection to other machines and strict policies governing their use.

Why is bullet proof security something of a holy grail? Something to aspire to, but always out of reach?

There are plenty of reasons, we’ll highlight just a few here.

Firstly, the systems we use were never designed with security in mind. The focus was always on functionality, nobody envisaged the potential for misuse in the manner we see today. For a long time, security was retro-fitted or an afterthought when new products and solutions were brought to market. Even today, with the growing use of methodologies such as DevSecOps, secure coding practices and SAST tools, software still remains largely insecure – hence the constant battle to identify and patch vulnerabilities.

Secondly, hackers and cyber criminals aren’t sitting still. Techniques to bypass defences are constantly evolving. From using stolen digital certificates and stronger encryption through to the advent of memory resident or fileless malware (which leaves little or no footprint), or turning their attention away from traditional software layers and instead exploring how to exploit hardware (for example, motherboards and processors), the hacking fraternity is adept at circumventing measures put in place to protect systems. And even if the products being used can’t easily be exploited and network security appears to be rock solid, the hacker knows that he or she only has to compromise the weakest link in the chain – often the end user (me and you). In fact, the vast majority of advanced attacks start with the user, with effort being directed at fooling individuals into clicking on malicious links or opening attachments.

Cyber Warfare increasingly makes headlines but the sparring between nations in Cyber Space has a significant fall out. State actors bring a far greater level of resource and expertise and their ‘raising of the bar’ often has unintended consequences. Sophisticated techniques and tools trickle down, giving additional ammunition to hackers.

Not only are adversaries becoming better equipped, they are also benefiting from a division of labour and specialisms within the world of cybercrime.

For example, botnets can be hired to carry out denial of service attacks or help spread new variants of malware. Cooperation and trade between criminals has led to extensive availability and sharing of tools, making it easier for individuals possessing limited technical skills to carry out attacks.

We also have the challenge of dealing with an increasing attack surface. Every day sees more connected devices, more platforms and technologies to exploit, more people online, more data of value.. working out what to prioritise and how best to minimise the risk becomes a struggle.

That’s far from the whole story but enough of the doom and gloom. Even Tom and his MI team could be forgiven for discreetly abandoning this particular mission and slinking off to lay low for a while. In fact there are good reasons to be positive.

It’s important to keep in mind that there is nothing unusual about this battle to secure our information – conventional crime is far older, yet despite the evolution of human societies, it remains an unsolved problem, something we continue to fight against. The same applies to Cyber Crime.

Greater understanding of the importance of information security in society generally, and increasing realization among different stakeholders specifically of the need to treat it as a priority, is driving a more joined up approach backed by greater resources. The Security industry continues to invest in solutions to the problem, new approaches and technologies – such as Machine Learning and Artificial Intelligence – are helping us build higher walls.

These things, and many more, help. But no one approach is sufficient, We have to think holistically. To make the hackers’ life as difficult as possible we have to work together and we all have a role to play in this. Every user can learn to better understand the risks associated with leading a digital live and how best to navigate his or her way through the often choppy waters of the internet – the surface may seem calm at times, but danger lurks underneath, never far away.

There isn’t, and never will be, fool proof security. But if we remain vigilant, stay focused and determined, we can learn to avoid the pitfalls and better protect our information. The team here at Circumvensys, like many other Security professionals, have risen to the challenge. Mission Impossible? Game on.