One of the main concepts in the field of computer security is the concept of class break. Class break refers to a particular security vulnerability in the sense that an entire class of systems is broken because an attacker can take remote control of every computer running on the system software. This kind of computer systems’ failure can further be exacerbated by the features of computer as it takes only one smart person to figure out how to attack the system. As the attacker can do it over the Internet there is no need to be near the victim. The attacker can also automate the attack, so it works while he sleeps and he can pass the ability to someone else without the skill. This changes the nature of security and how we need to defend against such attackers.
Class Breaks in our Daily Lives
For example, picking a mechanical door lock requires skill and time. Each lock is a new job, and success at one lock does not guarantee success with another of the same design. Electronic door locks in hotel rooms have different vulnerabilities and if one can find a flaw in the design allowing him to create a key card, all doors can be opened. This would count as an example of class break.
Although class breaks might describe how computer systems could fail, they don’t tell us about how we think about such failures. We still think about car security in terms of individual thieves manually stealing cars; we don’t think of hackers remotely taking control of the cars.
Thinking in Class Breaks
We can think of class breaks in the following ways: Imagine the difference between burglary or fires which happen occasionally to different houses in the neighborhood and floats or earthquakes which either happen to everyone or to no one. Inherently, these are different types of risks. The increasing computerization is moving us towards a different model in which a given threat either affects everyone in town or does not happen at all. Yet, there is a key difference between floods/earthquakes and class breaks in computer systems. The former are random natural phenomenon whereas the latter are human-directed. Floods don’t change to behavior to maximize the damage based on types of defenses we built; attackers do that. As they examined the systems looking for class breaks once one break is found this will be exploited again and again until the vulnerability is fixed.
The World of IoT
As we move into the world of Internet of Things
where computers permeate our lives at every level, class breaks will become increasingly important. The combination of automation and action-at-a-distance will give attackers more power and leverage than they ever had before. Security notions like the precautionary principle – where the potential of harm is so great that we err on the side of not deploying the new tech without proof of security- will be more important in a world where an attacker can open all door locks. It is not an inherently less secure world but it’s a different secure world. It is a world where driverless cars are much safer than human-driven cars, until suddenly they are not. We need to develop systems that assume the possibility of class breaks and maintain security despite them.