Information Security Absurdity
There is this article entitled the “Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security“. I read it in Slashdot with some really scathing commentary. It contains a really bleak description of the current state of Information Security.
It is time to admit what many security professional already know: We as security professional are drastically failing ourselves, our community and the people we are meant to protect. Too many of our security layers of defense are broken. Security professionals are enjoying a surge in business and growing salaries and that is why we tolerate the dismal situation we are facing. Yet it is our mandate, first and foremost, to protect.
The ramifications of our failure is immense. The success of the Internet and the global economy relies on trust and security. Billions of dollars of ecommerce opportunities are being lost due to inadequate security. A recent survey of U.S. adults revealed that three times the number of respondents believed they were more likely to be victimized in an online attack than a physical crime. A recent Gartner survey that indicated that 14% of those who had banked online had stopped because of security concerns, and 30% had altered their usage. People are simply losing trust in the Internet.
The security community is not just failing in one specific way, it is failing across multiple categories. It is being out innovated.
Most of the facts in the article are absolutely true. There is really a failure somewhere. Let us all face it. Information Security is as strong as the weakest link. Every information security professional presents to management a listing of risks affecting the organization. These risks are then assigned costs: Cost of Risk and Cost to Mitigate Risk. Each manager is then faced with the decision to either mitigate or ignore the risk. The problem with information security is that there are certain threats that are just too expensive to mitigate. Threats that involve Acts of God, lazy people, other people’s software, network and infrastructure are particularly hard to solve. In then end, people just ignore these risks. Then a weakest link is made available for exploit. Then security fails.
Another problem with security’s weakest link is about people, entities or organizations not willing to invest in information security. These people, entities and organization then become vulnerable and later become vectors for attack. These may not even belong to ones organization or is beyond administrative reach. If a vendor refuses to patch a security exploit in their software… If thousands of home computers are transformed into mindless spambots… How is one organization’s information security people supposed to solve all the world’s information security problems?
I disagree with the article in saying that this failure is due to lack of innovation. There are always new and novel ways of dealing with information security problems. Most of these are even solvable with current technology. Instead, I believe the failure is because of our inability to cost-effectively apply information security consistently across the entire infrastructure and dependent networks. But, is this reasonable to expect in this age of well interconnected networks (such as the Internet)? Can we secure every part of it? The only secure system is one that is powered down, disassembled, boxed, vaulted, sealed and blasted into another universe. Even then, what if aliens exist and send the system back …
May 11th, 2006 at 1:22 am
>> Another problem with security’s weakest link is about people, entities or organizations not willing to invest in information security.
it would be good if schools could integrate security courses and topics into the curriculum of computer science, information systems and management -related courses to raise the awareness regarding information security. too many students are coming out of college knowing a lot on what and how to setup businesses and information systems, but little on why and how to protect them.
yes, they might know that they have to protect their intellectual property, but framing “virtual assets” with a “brick-and-mortar” business perspective usually limits the security measures down to patents and security guards. crude and effective, but insufficient. information security as a part of TCO rarely comes to mind. in addition to that, most startups skip information security to cut down on costs. as they grow bigger, these companies then play an expensive game of information security catch up.
May 11th, 2006 at 1:47 am
Ah yes, the famous TLA (three letter acronym) TCO (total cost of ownership). It is good you mentioned this. most companies do not see the information security risks until they are faced by it. Most people will think that TCO is the problem of the big corporation. here are some classic TCO-bites-my-back problems for SMEs:
No anti-virus, anti-malware, or firewall software. This normally translates into loss productivity when workstations are taken out by these malware. Spam is also another items that can be added here as people spend more and more time filtering spam than reading valid email.
No investment for PC upgrades. This also translates into loss productivity. As workstations fail, companies spend more and more time fixing them. This is why desktop support is rarely a problem when companies start-out. But, it becomes a major problem when companies grow.
No Perimeter Protection. It is typically difficult to invest in workstations protection for all the workstations. One of the most basic things a company can do is enable firewalling in their DSL routers.
No Use Education on Information Security. This is the single most important aspect of information security. As a greater number of exploits are targeted to people and not machines.
There are many more cases of SME-technology-hits-me-in-the-head problems. It would definitely help if students were aware of these even before they hit the streets and the halls of Makati.