If you own a printer or a smartphone, you’ve probably done some rethinking about a few things over the past week or two. The recent rash of headlines to hit the mainstream media have produced much speculation, misinformation and meetings with Congress, but they have been successful in reaffirming one thing:
Security is a myth.
On the surface, the act of collecting semi-personal information about our calling habits and surreptitiously shipping this data off to mobile phone carriers is bad. At a minimum, having 140 million printers and multifunction scanners and faxes on our networks that are vulnerable to attack is bad.
But the real problems go much deeper.
Consider that our mobile phone carrier told us all about CarrerIQ, but we didn’t care. Yes, it’s right there in the fine print. Very fine. Our End User License Agreement told us that they were going to steal our personal information and use it to analyze our usage habits, and then we happily signed the paperwork. We had a chance to say no, but we either didn’t care, didn’t take the time to understand the security implications, or made the decision to trade our personal data for convenience.
We do it every day.
We should also consider that Angry Birds isn’t much different than CarrierIQ, and the information is going to a pretty-much-unknown-third-party. Our names, addresses, possibly even our GPS coordinates given the appropriate permissions. Yet we happily trade that information for a few minutes of enjoyment.
It’s bad that smartphones are shipping off our personal information, but it’s much worse that we said it’s OK.
And we introduce hardware and software to our work environments in the same manner. Hardware and software that was never designed to be secure. Sophisticated multifunction devices that host web servers and command shells that accept software updates and connections from anyone. These devices are like hacker outposts.
It may be bad that these devices are vulnerable, but it’s much worse that they have access to all of the other assets on our networks.
If you want to know what it’s like to attempt security in today’s world, try jumping into a pool without getting wet. The odds are the same. Everything around us is vulnerable, from our resumes to our Facebook walls, from our mailboxes to our personal interactions. The true saving graces are that there are always less secure entities than you and there are only 24 hours in a day.
Now if this sounds a bit cynical, please don’t misinterpret: I believe that good will always prevail over evil.
We just might get a little wet along the way.
It doesn’t take a security genius to figure out that the theory of preventing security incidents – from malware infestations and child porn cases, to bank fraud and databreaches – is a failed concept.
For years we have ignored, overlooked or rationalized the dramatic increases in both security spending and losses from cybercrime. Despite a 40 percent annual increase in information security budgets, the total of losses and costs from security incidents has increased 400 percent. This can only mean the following:
- We are spending our security dollars on the wrong things. If your company spends more on security hardware and software than it does on security policies, processes, measurement and analysis, it may be time to review your priorities. Security peace of mind comes from knowing exactly where your weaknesses are and the knowledge that you’ve effectively strengthened them. Ask your security hardware vendor to guarantee their product’s effectiveness – they’ll respond only with a smile. You may also be interested to know that the US Military spends more on analysts and communications than it does on guns and artillery.
- We are implementing the wrong things incorrectly. Whether it’s the use of default passwords on firewalls or misapplied IDS and SIEM rules, commonplace security hardware and software is falling down on the job. But it’s not doing it alone. Just like guns don’t kill people, firewalls don’t ALLOW ALL. Without a thorough, consistent Certification and Accreditation process, companies will continue to put hardware and software on the wire that does little to protect them, all while introducing new vulnerabilities.
- The wrong things, once implemented incorrectly, are not being assessed or measured for incorrectness. It is a well-known statistic that a significant majority of security breaches are made possible by the lack of effective patching of systems and applications, where patches have been available for six or more months. While poor configurations are released into the wild, effective assessments can reduce those risks. How well is your security infrastructure protecting your business? If you can’t answer this question quantitatively, it’s time to implement a system of regular assessment and measurement.
One of the most profound findings from 2011’s Verizon Business Data Breach Investigations Report (see image) was that 86 percent of databreaches were discovered not by the afflicted parties, but rather by the afflicted party’s customers, partners or business associates. This staggering number demonstrates that despite all security efforts, companies are doing an inadequate job of prevention (and detection, in this case).
The time has come to shift our efforts to detection and correction, or at least institute a better balance across these domains. Consider your bank, and what they consider their most valuable security controls. Rarely do you find armed guards at banks today, and most of them prefer glass doors. Inside, however, you’ll find cameras, panic buttons and dye canisters at every teller station. You can’t stop bank robbers, but you can stop bank robberies.
With all of the press around security incidents these days, blogs like this feel like beating a dead horse. Unfortunately, if this preaching weren’t falling on deaf ears the statistics would be headed in the other direction. So grab your conscience, some duct tape and a bottle of water, there’s work to do.
And grab a shovel, we need help digging this grave.