[BreachExchange] Maybe security isn't going to get better after all

Tue Dec 20 19:49:23 EST 2016

http://www.infoworld.com/article/3151921/security/
maybe-security-isnt-going-to-get-better-after-all.html

One billion-plus accounts stolen in one online heist. The U.S. presidential
election messed with by another country. Corporate secrets stolen and
released on the internet on a regular basis. More and more data held
hostage by ransomware. Stock markets routinely manipulated by hackers.
Denial-of-service attacks whacking websites all over the place.

Will computer security ever get better? Or is this the way things are and
we simply have to live with it?

For a long time I’ve speculated that it would take a tipping-point event
for the world to stop treating the horrible current state of security as
business as usual. It would take a major shutdown of most of the internet
or the major stock exchanges for a day or longer. Nothing else would be
shocking enough. Everything else is business as usual.

But maybe a global catastrophic event would not be enough. Maybe what we
have now is what we have for the foreseeable future. I’ve long worried that
this might be the case, but I haven’t wanted to admit it as realistic
possibility.

The past is prologue

People and things change, but not so much. The best indicator of future
behavior is past behavior. Most real change is slow and nonlinear, and it
happens unexpectedly. I’ve been expecting computer security to get
significantly better for three decades now. It’s only gotten worse. Sure,
we’ve made progress in a few places, and we’re even arresting more big
hackers. But for the most part the overall risk of something malicious
happening is the same or higher than before.

Nobody has a plan

The biggest evidence that we aren’t going to have a significantly more
secure internet soon is that exactly zero big initiatives are moving
forward that could help. It seems the era of doing big things to the
internet’s underlying infrastructure is dead. We are still relying on
insecure protocols (Border Gateway Protocol, DNS, UDP) for most of the
behind-the-scenes plumbing. More secure versions have been tried for
decades and still the internet resists. Things that could make the internet
significantly safer aren’t going to be a reality anytime soon.

Acceptable risk

As bad as the risk is—essentially, kids and professional hackers can shut
down big parts of the internet or steal anything they want at will—the
world has responded through its inaction. This risk is acceptable compared
to the cost of better securing the internet.

This reminds me of a story Bruce Schneier wrote a while back. He said
computer security professionals are mistaken if they think users don’t
understand the risk of poor passwords. We professionals confuse the risk
incurred by poor passwords (such as exposing a company’s most cherished
intellectual property) with the risk to the user who chooses poor passwords
(basically, none).

Whose fault is it anyway?

Do any of us know of a single person who was punished, much less fired, for
using poor passwords? I don’t. I’m sure it happens. I’m sure someone used a
“123456” password that led to malicious hacking and was held accountable
for that stupidity. I mean, companies lose hundreds of millions of dollars
due to internet theft every year. Occasionally, someonemust get punished
for it besides the odd CIO.

On the other hand, maybe it’s like the U.S. financial system, where blatant
fraud and untenable risk decisions led to more than $1 trillion in capital
going up in smoke, without a single person being successfully prosecuted
(except for this guy).

Even after the huge financial crisis, from which the world is still
recovering, relatively weak regulations were put in place to stop it from
happening again. In the United States, those regulations (Dodd-Frank) are
likely to be undone by the next Congress. This shouldn’t surprise anyone:
No one in government was fired for undermining regulations prior to the
meltdown, which made the whole mess almost inevitable.

The point is that the huge theoretical risk of bad internet security is
acceptable to almost everyone … until it’s not. Even if the worst happens,
it’s unlikely anyone will actually get in trouble, much less fired. If you
think of risk management that way—the real way every human being measures
it—then what we have is good enough.

I don’t like this idea at all. But I need to stop living in a dream world
where everyone suddenly realizes how bad internet security is and actually
demands something better. The fact is, we could make the internet
significantly more secure today for relatively low cost and most users
would support it. But lack of accountability means it’s not going to happen.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161220/a56d2ee9/attachment.html>