Why does the rate of technology matter to security? Two reasons: technology is never flawless, and finding those flaws has become automated.
The people making technology race against a clock; they need to release their product or service quickly to gain a competitive advantage, or address customer needs, or, frankly, to start making money. Security can feel like a sunk cost when an organization is focused on making their business viable.
With each new piece of technology comes new and complex software and hardware. Even the most talented engineers and designers cannot predict the future or build things perfectly on a budget. Inevitably, there will be weaknesses—and these can be used to make the technology do something it wasn’t intended to do.
This is exactly what hacking is all about—finding different ways to make a piece of technology do something it is not meant to do. Often technology is made to hold, transfer, or process data. Hacking makes it possible to access, modify, or delete that data.
The weaknesses, or vulnerabilities, are not always obvious at the start. It might take time for these to be discovered. This is the difference between known and unknown vulnerabilities. There might be some people who share the vulnerabilities they find in software and hardware with the world, but that can’t be counted on. Once a vulnerability is made public and known, it is up to everyone who uses that software or hardware to apply the fix, or to use alternative software or hardware if there is no fix.
However, just as we write scripts and code to make our technology, people can do the same to make tools that find weaknesses. These tools are like double-edged swords—the tools can be used for defense (to find weaknesses), or they can be used for offense (to attack your technology). When used for offense, we often call them exploits.
The probability that a potential security vulnerability will be identified, exploited, and lead to impact on your organization is called the risk the organization faces.
It looks like this:
You build a new piece of technology with multiple pieces of software.
If you find out about new weaknesses in the software you use, you will have to either apply the fixes, change to a different piece of non-vulnerable software, find other ways to protect your software, or do nothing.
Meanwhile, attackers might be adding those new, known weaknesses to their tool set so they can find them and hack your technology.
The more software you use, the more times you have to repeat this process.
If it feels unfair, that’s because it is.
Katie Moussouris’ interview in The Verge is a great starting point to learn about the vulnerabilities market. She has done amazing work and research in vulnerability disclosure and bug bounty programs (or organizational programs that pay for vulnerabilities found in their product).
Nicole Perlroth and Kim Zetter are fantastic authors and cybersecurity journalists that tell fascinating stories about the vulnerability market.
Everything is now online. If your organization doesn’t use current tools, or even have a website, you will lose out to your competitors. Avoiding technology isn’t really an option if you want to run a business—no matter how small the business.
You might think you are too small of a business to be attacked. Surely, that could only happen to the larger company that has big and valuable data to lose. But on the internet, no one cares how small you are.
An attacker’s two most common goals are (1) to access your data and (2) to use your resources (like your servers, mail systems, or online reputation). If they are trying to harvest as much data and resources as they can, they will often go for the lowest-hanging fruit.
You’re reading a preview of an online book. Buy it now for lifetime access to expert knowledge, including future updates.