Posted by: David Schneier
Application Security, Information Security Threats
One of the after effects of the terrorist attacks of Sept. 11, 2001, was a hyper-awareness of security of both our physical and digital environments. This has translated into the creation of new government agencies (DHS, TSA), rafts of legislation and billions of dollars of venture capital investment in new security technologies. Leaving aside the wisdom of some of these laws and policy decisions, I think it’s worthwhile to consider whether all of this focus on, and investment in security technologies has in fact made us any more secure.
Speaking strictly about information security, I think it’s hard to say that things are much better right now than they were in 2001. They’re just bad in a different way. Seven years ago, our big problems were worms and viruses like Nimda, LoveLetter and Melissa and DDoS attacks that were taking down various e-commerce sites. The focus was on ways to improve antivirus protection, better anomaly detection in IDS and IPS systems and finding ways to better filter the traffic coming into your enterprise.
Now, we have an absolute cybercrime epidemic that makes Code Red and Nimda look like a joke. We have organized, well-financed and well-trained gangs of attackers who are using custom Trojans and rootkits to target very specific groups of victims and steal billions of dollars through credit card fraud and bank scams. And we have the little problem of widespread SQL injection attacks that are turning legitimate sites into malware servers. And those are just the big problems. We could also talk about the sad state of security on our critical infrastructure, thanks to the revolving door at DHS, not to mention the lack of education on software security happening at the university level.
How these problems are connected to the post-2001 boom in security investment and the creation of our culture of surveillance and security theater is less clear. But I would say first and foremost that we have been focusing on the wrong problems for much of this decade. While enterprises and vendors were worried about network security, firewall sandwiches and whether NAC would save the world, the attackers were focusing on the simple, ubiquitous flaws in Web apps and back-end systems that they can exploit to their heart’s content. They also were busy building massive botnets with sophisticated fast-flux infrastructures and peer-to-peer communications. Groups like the Rock Phish gang have been constantly honing their skills and testing new methods. What this means is that we are not only playing catch-up with the attackers, we’ve been playing a different game entirely.
I talked to Billy Hoffman of Hewlett-Packard Co. yesterday for the Nameless Security Podcast, and he made an excellent point about this disconnect. His contention was that sure the attackers have gotten smarter, more organized and more sophisticated, but we’ve also allowed them to become lazier by lowering the barrier for them to own a database or plant malware on whatever machine they choose.
So if throwing money at the problem hasn’t helped, what will? I’d say that money certainly can help, as long as it’s applied to the right problem. More funding from the government, private industry and other sources for security education for developers would be a good start, both at the university and professional levels. Ask Microsoft how that investment can pay off. But that’s just the beginning. What else can be done to get things going in the right direction? Let me know.