August 31, 2004

Crypto-Guru Bruce Schneier on IT Threats

Just after I posted regarding IE and malware, I came across this interesting Bruce Schneier interview at Neowin. Bruce is a well-known cryptologist and security expert, and I've read his informative book, "Secrets and Lies".

As you can tell from my prior post, I heartily agree with Bruce, particularly on this point:

"What do you see as the biggest threat in the IT age?

People. Since the beginning of time, people have always been the biggest security threat. That hasn't changed because of computers. People are why firewalls are invariably misconfigured. They're why social engineering works. They're why good security products are rarely deployed properly. Securing the computer and network is hard, but it's much easier than securing the person sitting on the chair in front of the monitor."

Regarding the ultimate responsibility for security:
"If you were to look at 3 areas - The Software Designer, The Systems Administrator, The User - who would you say should bear the burden of responsibility for security? Or do you perceive it to be a shared responsibility?

Right now, no one is responsible; that's part of the problem. In the abstract, everyone is responsible...but that's not a fair answer. In the end, we all pay. The question really is: what's the most efficient way to assign responsibility? Or: what allocation of responsibility results in the most cost-effective security solutions?

We can't survive with a solution that makes the user responsible, because users don't have the knowledge and expertise to be responsible. The sysadmins have more knowledge and expertise, but they too are overwhelmed by the sheer amount of security nonsense they have to deal with. The only way to solve the security problem is to get to the root of it, and the roots are in the software packages themselves. Right now, software vendors bear no liability for the software vulnerabilities in their products. Changing that would put enormous economic pressure on software vendors, and improve computer security faster and cheaper than anything else we can do. I've written about this here."

Again, this illustrates my point about users simply not knowing any better while contributing to the problem. But that's reality, like it or not. Some may take the initiative to better protect themselves (especially after getting burned at least once), and others won't. While there's a lot of self-help available online (you know it's bad when WSJ's Walt Mossberg covers spyware this month), it only goes so far. When it comes to security, people are often the weakest link in the chain. Just ask this law firm whose longtime bookkeeper fell prey to a Nigerian e-mail scam to the tune of embezzling $2.1 million. The breach in security wasn't just the person who embezzled the money, but also the management under which it occurred, and the bank manager who approved all of the wire transfers even though the bookkeeper was not authorized to make such transfers. I also recommend reading Sharon Nelson and John Simek's enlightening article on "Disgruntled Employees in Your Law Firm: The Enemy Within". Please don't misunderstand this as a "down on people" tone, as I can assure you it's not. It's about recognizing some of the root causes for security breaches and thereby being better prepared as a result. For example, "social engineering" preys on our fundamental tendency to trust one another, especially in a seemingly routine context.

I too would like to see software developers better address the issue. But unlike Bruce, I don't see that as quite the rosy picture he's painting. Reiterative security testing, while welcome, would no doubt increase the development cycle and overall cost of the software. Since it's not practical to expect all software developers to include an equally effective level of security testing and remediation, and since viruses and trojans authors generally find ways to proliferate their malware faster than developers can detect and close the holes, we're still going to need all of our expensive security software and experts to keep us relatively secure. Overall, we'd probably be more secure, but it's going to cost us. How much? As he mentioned, it's tough to determine what's the most cost-effective method for allocating responsibility. Not all that long ago, it occurred to me that the free market would probably determine how much security is appropriate and Bruce lays this out regarding Microsoft:

"The company is not a charity, and it doesn't make sense for them to make their products more secure than the marketplace demands. And right now the marketplace doesn't demand security."
Lastly, Bruce offers good advice, but inherent in that is the requirement for self-education (my emphasis added):
"Do you have any practical advice for our readers, in terms of staying secure, and safe?

Backup. Backup, backup, backup. You're going to get whacked sooner or later, and the best thing you can do for yourself is to make regular backups.

Staying safe in the Internet is actually pretty simple. If users bought a personal firewall and configured it never to accept incoming connections, and were smart about email attachments and websites, they'd be a lot safer. Also, the fewer Microsoft products the better."

Topic(s):   Privacy & Security
Posted by Jeff Beard