LAS VEGAS–Reflecting on the successes and failures in the industry in the last 15 years, a panel of security experts at Black Hat said that while defenses have gotten better, attackers have as well and there is a long way to go before defenders have the upper hand. If that ever happens, they said, it will need to be a cooperative effort among users, security folks and even the government.
Jeff Moss, the founder of Black Hat, said that one of the main hurdles in improving not just the security industry but the actual security of the devices we use is that most of the smart people are only interested in solving problems that will make them a lot of money at some point.
“Where there’s a market problem and money to be had, we’re good at solving that,” Moss said during the panel discussion here Wednesday. The panel also included Adam Shostack of Microsoft, Jennifer Granick of Stanford Law School, Bruce Schneier and Marcus Ranum of Tenable Security. Schneier agreed with Moss’s assessment of the current state of affairs, saying that security problems don’t exist in a vacuum and there are a lot of contributing factors.
“A lot of security failures are market failures,” Schneier said. “We’re now making it worse. Security is opaque.”
Much of the discussion centered on the ways in which government intervention in various problems can either help or hurt the process. The federal government has for years been asking experts in the private sector for help on various security challenges and there have been both formal and informal working groups set up to share information. But the private sector members of those groups often complain that the information only flows into the government, not the other way around. And despite the vast amount of expertise in private companies, the security staffs could always use more data, especially when it comes to attacks.
It shouldn’t simply be up to the private sector and all of the technology companies to somehow fix security, Ranum said. The government should play a role, as well.
“I’m not qualified to carry out counterintelligence against China. Prioviding for the common defense is what the government is supposed to do,” he said.
What could help address many of the major issues facing targeted companies and government agencies alike, Shostack said, is a cultural shift that focuses on publishing and sharing as much data as possible. Data on attacks, data on bugs, data on anything that security staffs can use to better defend their networks.
“We have these opportunities all the time. Every time a government system is breached, it’s reported to US-CERT within an hour and then on to the GAO,” Shostack said. “If we had a little more information in those flows, we could see where one agency that got breached spends its money on security and then compare that to another agency that wasn’t breached the same way and see how they spend their money on security.”
When the discussion turned to what to expect in the future and what investments might pay off the best for defenders, Moss said there was only one real answer: people. Invest in smart people who understand the problem.
“In anything I’ve done, I rely on my people, not on widget X,” Moss said.
People may also become the main target for attackers in the near future, Shostack said. The widespread memory-corruption vulnerabilities that have plagued software for years have been mitigated in a lot of ways with recent advances in defensive technology. That’s made life somewhat more difficult for attackers, and Shostack said they may move on from those flaws fairly soon.
“I think we’re seeing almost the end of the era of that kind of vulnerability and that’s a success story,” he said. “Attacks are going to shift much more to attacks on human beings.”
