Security guru, Bruce Schneier, spoke last week at the University of Minnesota's Bell Museum at a local OWASP meeting about The Economics of Internet Security.
I had a chance to attend and jot down the following notes during his presentation.
1. Economic Value of Information - For the most part, there is no longer a need to open physical mail that arrives at your house. Only salable asset of some companies like Pets.com was their database.
2. Network as Critical Infrastructure - lots of industries rely on the web for just in time info. The Northeast Aug 2003 blackout was more damaging than power blackout. Ancillary systems fail, such as reservations systems.
3. 3rd Parties controlling information - We have less control over our own stuff. Security is out of our hands. Government doesn't have to bother us for our records since we don't have them anyway.
It doesn't matter how good we are at securing information if 3rd parties don't.
The market can't solve this problem since we don't have a direct relationship with many companies that host our information like Choicepoint.
4. Ever-increasing complexity - complex systems are harder to secure. Non-linear tightly coupled systems. There are more potential problems with accidents and malice.
We like complexity, but it comes with increased insecurity. Technology makes things better. Shouldn't security be getting better? It is, but complexity grows faster.
5. Criminals thriving on the Internet - Hacker threats used to mean defacing webpages. Now botnets, spam, and criminal activities are the worry. "There is more money in identity theft than drugs."
Must understand the attacker right to get the security right.
6. Sophistication of automatic worms - Worms are getting better. Better written, stealthier. Better written & quieter. Mostly lay dormant gathering intelligence.
7. Slower patching and faster exploits - An impossible problem. Has to work perfectly in every software configuration. And be released fast. Can't do both. People became resistant to patches due to unreliability. Now patching is more regular and stable. Hackers releasing malware for day after fresh patches released from companies like Microsoft so they can exploit the month before the next patch release.
Best systems provide security even when unpatched. Patched systems never reach 100%.
8. Untrustworthiness of the endpoints - We use a WWII Communications model. SSL, SSH, PGP. Data is most vulnerable at the endpoints before or after encryption/decryption. Example: Keyloggers.
Credit cards aren't stolen one at a time. They're stolen in blocks of millions.
9. Regulatory pressure - Computer security is hard to sell. It must be done based on greed or fear. An insurance problem. Biggest motivator is regulation. Companies are motivated by compliance. Sticks like Sarbanes-Oxley gives IT departments the tool they need to get more money for security investments. Companies don't want to fail an audit.
10. Outsourcing - Really important for security going forward. "The reason there is a security industry is because the software you buy sucks." Security will become bundled with the products. Air bags are an example of this. Security is built into the car rather than sold after-market.
Computer security will be bundled with the outsourcing vendors contractually. Shouldn't be an end-user problem. Software as service. Google has to solve security problems rather than businesses using Gmail.
Externalities: things people don't care about security exploitations that don't directly effect them, like buggy software or virus laden computers. If your mom can check her email, she doesn't care if her computer is also a spam-bot. Regulation or liabilities make people care about externalities like this.
You can find out more about Bruce on his blog where he recently stirred things up by explaining that he doesn't secure his home's WiFi network.