Is imperfect good enough?

This is perhaps a flawed, leading question, but it’s also a contentious topic within the information security community – how good is good enough? Security is not necessarily a zero-sum game, but if a company could only implement a limited amount of security policies, shouldn’t those policies be near perfect? And why would we spend time implementing something flawed in place of something perfect?

In a perfect universe, the best possible security practice would always be implemented for every situation and application, but this is simply not realistic. The vacuous, enigmatic company we see in our mind’s eye will not have the real-life flaws and quirks of an actual place where people work, where some devices run Windows XP, and other devices can’t be allowed a second of downtime.

Flawed approaches that work

As an example, another broadly discussed topic is the efficacy of SMS Two-Factor Authentication. Compared to an authenticator application, SMS 2FA is less secure, and more susceptible to hijacking. But if it’s the only option available for a user, or the only option the user will accept? Then it should be used. The benefits of MFA outweigh the drawbacks and potential risks and normalizing the utilization of MFA in everyday life should be encouraged. Threat models may vary, but for most applications, having the extra layer of security to stop a simple password spray of leaked credentials will block a vast number of attacks that might otherwise have compromised the user’s accounts.

A similar philosophy applies to the geoblocking of IP addresses. This is, perhaps, more of a specific tool to be used in a specific circumstance than a flawed solution, but the principle is similar. In the example of a security breach, a geolocation block of IP addresses outside of the local country will not block every attacker and is certainly not a perfect solution – but it is a fast and efficient way to block a vast number of attacks that might otherwise compromise the environment. Will it block all attacks? Certainly not, a dedicated attacker could easily use a proxy or other method to simulate a local IP address, but it will sweep away many active risks, despite being flawed.

In summary

Perhaps it is more a reflection on the pedantic nature of the information security community, but I find the elitist, perfectionist view to be detrimental not just to inclusivity, but to some degree also to the efficacy of information security itself. That’s not to say great things haven’t been born from an attitude of perfectionism, and indeed, the very hacking mindset that looks for unintentional exploits or flaws is to some degree a core philosophy of the community itself – but it shouldn’t come at such a detriment, in my opinion.

At the risk of ending on a vacuous statement; the perfect solution is the one that works. Be cognizant of the limitations of your implementation, but don’t get lost hunting for an elusive perfect solution. If there was one, many of us would be out of a job by now.