AOH :: ISN-3035.HTM

Security war is being lost, says Schneier




Security war is being lost, says Schneier
Security war is being lost, says Schneier



http://www.techworld.com/security/news/index.cfm?newsID=6914 

By Sumner Lemon
IDG News Service
20 September 2006

Companies are losing the battle to secure their IT systems from attacks 
by hackers and other threats, influential security expert Bruce Schneier 
has warned.

"I don't think, on the whole, we are winning the security war; I think 
we are losing it," said the founder and chief technology officer of 
Counterpane Internet Security in a speech, at the Hack In The Box 
Security Conference (HITB) in Malaysia.

As systems get more complex, they get less secure, according to 
Schneier. Even as security technology improves, the complexity of modern 
IT systems has increased at a faster rate.

"The Internet is the most complex machine ever built," Schneier said.  
"This explains why security is getting worse."

In addition, the nature of the threat that companies face has changed in 
important ways. Where hacking was once considered a profession for 
hobbyists, a growing number of hackers are now criminals with a profit 
motive.

"The nature of the attacks are changing because the adversaries are 
changing," Schneier warned. "They have different motivations, different 
skill sets and different risk aversions."

Hobbyists now represent the minority of hackers, according to Schneier. 
This change means hackers pose an even greater threat to companies. "The 
hobbyist is more interested in street cred, the criminal wants results," 
he said.

To turn the battle in its favour, the security industry must look beyond 
purely technical measures, according to Schneier. "Look for the economic 
levers," he said. "If you get the economic levers right, the technology 
will work. If you get the economics wrong, the technology will never 
work."

Externalities, an economic term used to describe the effects of one 
person's actions on another, are central to building effective security, 
Schneier said.

For example, U.S banks do not spend heavily to defend against identity 
theft because they are not affected when such theft occurs. To the 
banks, this is an externality. However, when banks bear liability for a 
security breach, such as an unauthorised ATM withdrawal, they make the 
investments necessary to prevent these incidents from taking place, he 
said.

The same economic lessons can be applied to software vendors. To improve 
the security of software, Microsoft and others should be made liable for 
selling software that is not secure. "When you use buggy software and 
you lose data, that's your loss and not the software company's loss," 
Schneier said.

That needs to change, according to Schneier. "The organisation that has 
the capability to mitigate the risk needs to be responsible for the 
risk," he said.


_________________________________
Visit the InfoSec News store!
http://www.shopinfosecnews.org 

Site design & layout copyright © 1986-2014 CodeGods