What Does Unhackable Mean?October 1, 2018 No Comments
Featured article by Christopher Nichols, Independent Technology Author
“I want to make this unhackable” is a question that comes up fairly often when working with security teams, tech contractors, and security professionals. Sometimes it’s a CEO who simply wants to protect business assets at any costs, but other times it’s an honest wish for better security, says Naomi Hodges, Cybersecurity Advisor at Surfshark VPN.
The answer itself is a landmine. Too much confidence can backfire when a compromise happens for any reason, while too little confidence can end a contract and cast a shade of professional doubt.
One thing is certain: whether you’re a client or a service provider, and whether you want a clear answer or not, “unhackable” is a fairly deep philosophical question that has to be approached carefully.
To be unhackable means that the service, product, or another asset in question can’t be hacked. This creates other questions, such as “what does hacking mean?” and “does that mean unhackable forever?”
It also lays down a challenge to hackers across the world to prove that claim wrong.
Can you make a door that can never be broken into? A safe that can’t be cracked? In other industries, such boasts are often taken with a grain of salt.
The same goes for the tech industry. For most contractors, the real answer is that they can make it extremely difficult to hack into, all while remaining ever-cautious that someone in the hacking community, their own team, or even the client making the request may be figuring out ways around the security.
But what if there was a way to make something unhackable? If there was some Master Programmer at some point who was able to create a program that encrypts in ways that can’t be hacked through with coding or exploits, would that be the end of security?
Not at all. The human element still exists.
Social Engineering Is Hacking
Before digging into the challenge of hackable code, find out if you have hackable people. The greatest security in the world won’t matter if there is a human element that could render the security useless.
The challenge is simple and as old as human civilization: if you’re protecting something, you usually want access yourself. In modern times, this means having a password so that you, employees, contractors, or other stakeholders can access the assets.
What happens when a person outside of the company or project gets their hands on the password? Not a difficult or foreign concept and many tech theft scenarios involve stealing passwords through keylogging/keystroke recording, looking for written passwords, or simply asking for the password.
What if you use two-factor authentication? That becomes much harder, but what type of two-factor authentication are you using?
If you use a phone that creates a code, who has access to that phone? Can someone take an employee’s phone and simply punch in a one-time code? The phone itself should be secure, but should be is not a guarantee of security.
In these situations, a security expert’s promise of unhackable protection can be undone by the client or the client’s colleagues. That creates an entire industry—a niche that’s becoming too big to be a niche—that makes security easier for users.
Think about why that industry exists. Personal computers have been widespread and affordable since the 1990’s and became familiar to the public in the 1980’s and some of the 1970’s.
There are children born of the desktop computer area, the laptop era, the age of the internet, and the mobile device age that are not only adults but either starting their own companies or even becoming tenured leaders (as is the case for older Millennials and Generation Xers).
With a population that grew up with technology, older generations expected some level of tech affinity. It’s there, but it’s not what was advertised on many documentaries and wishes for the future. Password best practices are still violated, and although the common sense of security is widely available, the human element can still falter to complacency.
Because of this, an unhackable digital technology can still be hackable through social engineering.
Challenge Of The Hackers
With the easy answer out of the way, it’s time to tackle the more technical side of the argument: truly unhackable technology.
When most non-technicians talk about hacking, they expect some kind of dark room hackers who type lines of code and look through complex mathematics to break into computer logic.
That’s certainly what some techniques look like from the outside, and Hollywood does a good job of dramatizing that aspect. What movies and crime TV shows fail to capture is the wealth of information in the hacking community—and how legal and useful much of it can be.
The true definition of hacking does not need to lurk in the shadows. Any clever solution to a given problem is hacking, and that definition rings true whether someone is breaking into a bank’s security without being seen or attaching a penny to a keyboard to run around in circles in a video game.
Your software, hardware, or other tech assets may not be unique or original. They often rely on pre-existing code that is repurposed, tweaked, and rerouted to perform specific tasks. The code often has certain behaviors, and skilled hackers know how to track down ways to exploit that behavior.
Sometimes there are no obvious exploits. In order to change the code, a hacker needs to gain access, and there may be no openings due to the years—decades, even—of best practices.
These best practices are what most people should shop for when hunting for effective security. Tested, proven security practices and avoiding easy mistakes that can be exploited with a few Google searches.
When a product becomes popular, there are more reasons to look into the code for exploits. Some may do it out of boredom or to exercise their minds, while others are simply trying to steal from you. Still, others are security professionals who either need to prove a point about avoiding a specific technique or simply want to help raise the bottom line of security.
When a product boasts itself as unhackable, the true danger begins. The danger is often overstated; many security professionals are actively baiting hackers into testing the security for free, then applying patches and redesign techniques based on the compromise results.
If the boast comes from someone who doesn’t have much security experience or has no contingency plan for an attack, the real trouble begins. If you’re looking for reliable security, speak with a network security, software security, or general cyber security professional to discuss your specific system needs.
DATA and ANALYTICS , SECURITY