Some seem surprised by Microsoft’s admission, following the quick hacks of IE 8, Firefox and Safari at the CanSecWest conference in Vancouver last week, that their defense in depth strategy is “not fool-proof.” That shouldn’t come as a surprise to anyone with experience in the security field (whether IT or physical security). The truth is that all security mechanisms are designed to slow an intruder down, not to guarantee that he won’t be able to get in. The idea is that if you can make it more difficult to break into your network (or your house), the bad guy will give up and go target an easier one. But if someone is truly determined to get in, he probably will.
Think about your physical security. You might have a high fence, a big dog, deadbolts on the doors and a security alarm system, but if a burglar is absolutely determined – and has enough time – he can climb the fence, shoot the dog, disable the alarm and break a window to get in. Unless you live in a fortress (and even then), your security is not fool-proof. But all those mechanisms do slow him down, making it more likely that he’ll be caught in the act. So unless he’s motivated to specifically target your house because he knows you have $1 million in cash hidden under the mattress, he’ll probably go elsewhere, where the pickings are easier. And IE8/Windows 7 security measures such as DEP, ASLR and IE Protected Mode do the same thing – they make it difficult and slow and discourage the random hacker from targeting you for attack.
Security and access are at opposite ends of a continuum. Absolutely fool-proof security would not only prevent unauthorized persons from gaining access, it would also prevent you from accessing your own resources.