Top 10 Reasons Computer Security Fails

Posted on by imagineidentity

With computer security being so critical to people’s daily lives and failures being so prevalent, one might wonder why this is happening. Here’s my take on what’s led to the insufficient protection applied to so many computer systems.

  1. Most people don’t want to know about security and would prefer to live in the belief that they’re safe. The truth is that most people shouldn’t have to be concerned about their security and privacy. Of course this perspective does not apply to people who are responsible for computer systems. Yet I often see it implied in organizations’ priorities.
  2. Many organizations don’t recognize their risk. They believe they won’t be targets if they’re not the government, critical infrastructure, or a defense contractor. The truth is that every organization with money is a target because some people would rather steal it than earn it.
  3. People have a false sense of security. They believe they’ll be safe if they follow regulatory requirements from Sarbanes-Oxley, PCI, or HIPAA. To be sure, these regulations have raised the bar on security and have driven much of the IT security business for the last 15 years. They establish a baseline level of security based on best practice, which naturally drives “security by checkbox.” This leads to a rather static security stance and often doesn’t account for organizational risk.
  4. Even when organizations recognize their risk, they accept a certain amount of exposure. I once ran into a financial organization with a data system that didn’t require a log on to execute transactions. I asked if they had any fraud and suggested this was something worth fixing. They responded that they saw several hundred million dollars of annual loss on the system, probably to organized crime, but it was too much trouble to change. The “leakage” was considered acceptable for the amount of money going through the system.
  5. Attacking is easy and defending is hard. The attackers have the advantage of the initiative and defensive security must cover everything. The security team must protect environments with many complex systems that may be integrated in dodgy ways. Business requirements may preclude software upgrades that include critical security patches.
  6. Security is expensive. There’s constant pressure to reduce cost and business leadership often assumes the computing environment is safe (see item #1). Money spent on security isn’t going to help the CIO’s bonus so there’s little incentive to spend on it – until there’s a huge breach.
  7. Security isn’t sexy. People are told they should do more to secure their computers just like they should floss their teeth, change the filter on their furnace, and clean the cobwebs. Folks are busy and it’s easy to put the chores of daily life on hold, especially if there’s something fun going on. Computer professionals are no different.
  8. Security is hard. There are many moving parts, each of which depend on each other in complex ways. This is hard enough to manage when software is new and becomes even more so as it ages. One often runs into “spaghetti code” where change upon change has been made to a program to the point where nobody quite understands how it works. The more recent move to microservices has made this both better and worse because it allows more powerful programs to be written but at the expense of transparency. Engineers are often unaware of how the programs actually work and this opacity leads to vulnerabilities that can be exploited. All of this gets even harder when you stitch applications together like enterprises do. Yet most enterprises don’t look at software systematically, nor do they actively work to reduce the complexity that increases costs and creates vulnerabilities.
  9. Computer managers have given up and won’t take responsibility. There’s an attitude going through the security industry that hackers can’t be stopped and it’s only a matter of time before a system is hacked. This is probably true at some level, but it shouldn’t excuse a lack of effort. I’ve consistently heard CIOs looking to shift blame to staffers for breaches or buy insurance, neither of which changes behavior of bad actors or protects computers, let alone the people using them.
  10. Management isn’t held accountable. The common response from hacked organizations is to buy their customers credit monitoring for a year. At one time my credit was covered by three of these policies due to hacks. Target, Premera, Kmart, Anthem, Neiman Marcus, OPM, Home Depot, T-Mobile/Experian, and Equifax represent a few organizations who have taken this approach. It’s interesting that these credit monitoring services are provided by companies like Experian and Equifax, who have been hacked themselves. It’s more interesting that organizations are finding this is sufficient to get them off the hook, even when they’re not all that helpful.
  11. And a a bonus 11th item: The IT industry needs to do more. Most security professionals know about these challenges and lament that not enough is being done. They complain about management misunderstandings, budget constraint, and a lack of interest. They feel placed in a box they can’t get out of. This may be true, but it’s also an excuse. We security professionals are hired to protect environments because our employers don’t understand the details. It’s our collective responsibility to explain situations so others take the situation seriously. If people don’t listen then we must find better ways to communicate the risk and motivate action. The industry has made big strides and frameworks like the NIST and ISO frameworks are fantastic steps but they are insufficient by themselves. Organizations must be motivated by security professionals to adopt and apply these frameworks. Then organizations must realize that simply adopting a security framework does not make them secure. I’ll talk more about this next time.

Internet Battle

Posted on by imagineidentity

I believe we’re engaged in a battle on the internet. It is an asymmetric conflict, meaning one side is fighting and winning while the other side is on the defensive and may not be aware that it is in an engagement.

 

As with many human endeavors, some will choose to turn any possible position their way and it’s unsurprising this would happen on the internet. A difference this time is the extraordinary ease to gain tremendous advantage at others’ expense with minimal risk. This is because the internet allows effectively anonymous and untraceable action at a distance. This action ranges from the mischievous, through the cynical, to the evil.

 

To be sure, commercial and nation-states are increasingly aware of the opportunity, power, and compulsion to engage this new battlespace but offense has a tremendous advantage. We can see this when we look at the post-World-War-II international structure where power was maintained by unprecedentedly powerful nation-states who certainly held the ability for global destruction, but were held (sometimes barely) in check by a desire for stability based in fear of the alternative.

 

In the past, an attacker could expect to be met with an overwhelming and potentially disproportionate response that would not only destroy him, but also his society and the planet. Thankfully, these actors’ sense of self-preservation, if not their morality, helped prevent conflict guaranteed to be worse than the World War they’d often personally experienced.

 

Nation-states’ tendency for proselytizing and gain was tempered by the realization that they would receive personal harm from such actions. Meanwhile they addressed crime through the expansion of international law, surveillance, and enforcement.

 

This has changed.

 

International stability has checked people’s compulsion to gain at others’ expense. This simultaneously led to unprecedented societal expansion and vulnerability.

 

People being innovative, they’ve worked to find other ways to compete and gain advantage.

 

“Terrorism” was the first step, creating a hybrid of nation-state-style politics with criminal action. Unorganized non-nation-state actors discovered they could gain advantage by disrupting large societies at relatively little cost to themselves. They might choose to take these actions to “fight back” at governments they deem oppressive and incompatible with their chosen way of life. This is accomplished by preemptively and anonymously attacking soft targets, those who are least prepared to expect and respond to it. Nation-states struggle to respond because traditional military and law enforcement organizations were not envisioned to address this threat.

 

This terrorism has moved to the internet. The international, inexpensive, easy-to-use, and ubiquitous nature of the internet provides an opportunity for organizations to gain advantage, be it political, financial, or ideological.

 

It is well known that groups like al-Qaeda and Daesh/ISIS have used the internet to extend their scope at a relatively low cost. Social media facilitates candidate recruitment, encrypted messaging allows secure communications, and commerce systems support fundraising. These capabilities were not available to previous groups, which served to limit their growth.

 

Governments are very concerned about the perceived threat from these new capabilities. They’ve advocated a requirement for software companies to build backdoors so encrypted communication may be decrypted. There are numerous technical, social, and legal impacts from this approach and I expect it will never come to fruition. I’ll chat about this in a future post. In the meantime, I’ll share that Australia has gone so far as to say that their laws prevail and they want the access regardless of the laws of mathematics (which drive encryption). Interesting.