Security May Be Broken, But All is Not Lost

It’s been an ugly year so far for the security industry. In fact, if you’re looking at it objectively, almost nothing has gone right in the last six months. The long list of attacks this year–including RSA, Sony, Epsilon, Lockheed Martin, Citigroup and many others–coupled with the emergence of amorphous hacking groups like LulzSec and Anonymous on the scene have led to a growing sentiment in the industry that security has become an exercise in futility and that, one way or another, we’re all owned.

It’s been an ugly year so far for the security industry. In fact, if you’re looking at it objectively, almost nothing has gone right in the last six months. The long list of attacks this year–including RSA, Sony, Epsilon, Lockheed Martin, Citigroup and many others–coupled with the emergence of amorphous hacking groups like LulzSec and Anonymous on the scene have led to a growing sentiment in the industry that security has become an exercise in futility and that, one way or another, we’re all owned.

Don’t buy it.

Certainly the first part of 2011 has seen a pile of major breaches and attacks concentrated in a short amount of time the likes of which we may not have seen ever before. And the steady drumbeat of stories about data thefts at major corporations, intrusions at government agencies and massive dumps of pilfered personal information is showing no signs of abating. If anything, it may well increase in the next few months as more groups and individuals decide to seize the opportunity and make a name for themselves or their cause.

There’s no doubt that watching some of the larger and (allegedly) more sophisticated organizations in the country lose consistently is not doing much to make other companies think they’re going to fare any better when it’s their turn in the crosshairs. If RSA and the CIA can’t figure it out, then what hope is there for anyone else?

Plenty, if you know where to look.

First, let’s start with the idea that more companies are getting attacked and successfully owned now than ever before. One of the unfortunate (or fortunate, depending on your point of view) things about security is that there is so little public data available on attacks. One of the few good resources for information specifically concerning data breaches is the Data Loss Database, which gathers information on public reports. A quick glance at the site’s timeline shows that there has not been any massive uptick in the number of incidents this year. Mostly, the last six months have been pretty much like the last few years in general: a steady stream of breaches with the odd spike thrown in.

Yes, companies are being compromised and user data is being stolen, but it’s important to remember that up until a few years ago, none of these events would have been disclosed. Customers would have had no idea their data was at risk and the press would not have gotten onto the story. But with data breach laws in effect in most U.S. states, these incidents are now daily news and so there is much more awareness of the problem.

Second, if you think there’s a lack of data on successful attacks, think about how much data we have on unsuccessful ones. None. Zero. The only time we hear about a security incident is when the attackers win. Companies don’t make a habit of reporting all the times that they repelled attacks–perhaps because they don’t know it when they do–and groups such as LulzSec don’t tweet about their failures. We only hear about the wins.

If the rest of the world worked like this and people only were allowed to talk about their failures and shortcomings, we’d all be sick to death of Roberto Baggio and LeBron James.

Instead, we are bombarded by news of failures and missteps and nominally sophisticated attacks that succeed. Take the RSA and Lockheed Martin attacks, for example. It appears now that the real target of the group behind these operations was the U.S. defense industry. But in order to successfully penetrate these organizations, the attackers first had to mount a separate attack on RSA, steal data related to the SecurID tokens and then use that to go after Lockheed and other organizations. It’s certainly disheartening that organizations such as RSA and Sony are falling victim to spear phishing attacks and SQL injection and other simple tactics. But that doesn’t mean that it’s time to throw in the towel and walk away.

Rather, perhaps it’s time to take a fresh look at the problem and assess what’s working rather than dwelling on what isn’t. But once again we’re faced with the problem that we don’t have much idea what’s actually working because no one talks about it. Common sense would suggest that one thing that might work is sharing data. In just about every other walk of life, every other profession, this is done as a matter of course. People help each other improve, even in competitive situations such as professional sports, rivals collaborate and share intelligence.

But not in security. Somehow security data is seen as a competitive advantage, when in fact the opposite is true. Keeping data secret makes everyone less secure in the long run. Data on successful attacks and successful defenses could be much more valuable when it’s shared in a considered way. It seems likely that RSA’s security team would’ve been interested in some timely intelligence from other companies about highly targeted spear phishing attacks.

Security is by definition a collaborative and community effort. Making one piece of the whole stronger and more resilient benefits every other piece of the whole. And the inverse holds true, as well. There are plenty of good things happening in security right now, but until there’s a major shift in the way that security data is collected, analyzed and shared, we’ll be stuck with the status quo.

And as Adam Shostack likes to ask, how’s that working out for you?

Suggested articles