Better Living Through Technology: a blog dedicated to emerging
technology trends in hardware, software, webware, marketing and beyond
 
 
 



« The Long Tail of SEO | Main | The Meta Keyword Is Dead »

Bruce Schneier's Speech at OWASP
Ed Kohler

Security guru, Bruce Schneier, spoke last week at the University of Minnesota's Bell Museum at a local OWASP meeting about The Economics of Internet Security.

I had a chance to attend and jot down the following notes during his presentation.

1. Economic Value of Information - For the most part, there is no longer a need to open physical mail that arrives at your house. Only salable asset of some companies like Pets.com was their database.

2. Network as Critical Infrastructure - lots of industries rely on the web for just in time info. The Northeast Aug 2003 blackout was more damaging than power blackout. Ancillary systems fail, such as reservations systems.

3. 3rd Parties controlling information - We have less control over our own stuff. Security is out of our hands. Government doesn't have to bother us for our records since we don't have them anyway.

It doesn't matter how good we are at securing information if 3rd parties don't.

The market can't solve this problem since we don't have a direct relationship with many companies that host our information like Choicepoint.

4. Ever-increasing complexity - complex systems are harder to secure. Non-linear tightly coupled systems. There are more potential problems with accidents and malice.

We like complexity, but it comes with increased insecurity. Technology makes things better. Shouldn't security be getting better? It is, but complexity grows faster.

5. Criminals thriving on the Internet - Hacker threats used to mean defacing webpages. Now botnets, spam, and criminal activities are the worry. "There is more money in identity theft than drugs."

Must understand the attacker right to get the security right.

6. Sophistication of automatic worms - Worms are getting better. Better written, stealthier. Better written & quieter. Mostly lay dormant gathering intelligence.

7. Slower patching and faster exploits - An impossible problem. Has to work perfectly in every software configuration. And be released fast. Can't do both. People became resistant to patches due to unreliability. Now patching is more regular and stable. Hackers releasing malware for day after fresh patches released from companies like Microsoft so they can exploit the month before the next patch release.

Best systems provide security even when unpatched. Patched systems never reach 100%.

8. Untrustworthiness of the endpoints - We use a WWII Communications model. SSL, SSH, PGP. Data is most vulnerable at the endpoints before or after encryption/decryption. Example: Keyloggers.

Credit cards aren't stolen one at a time. They're stolen in blocks of millions.

9. Regulatory pressure - Computer security is hard to sell. It must be done based on greed or fear. An insurance problem. Biggest motivator is regulation. Companies are motivated by compliance. Sticks like Sarbanes-Oxley gives IT departments the tool they need to get more money for security investments. Companies don't want to fail an audit.

10. Outsourcing - Really important for security going forward. "The reason there is a security industry is because the software you buy sucks." Security will become bundled with the products. Air bags are an example of this. Security is built into the car rather than sold after-market.

Computer security will be bundled with the outsourcing vendors contractually. Shouldn't be an end-user problem. Software as service. Google has to solve security problems rather than businesses using Gmail.

Externalities: things people don't care about security exploitations that don't directly effect them, like buggy software or virus laden computers. If your mom can check her email, she doesn't care if her computer is also a spam-bot. Regulation or liabilities make people care about externalities like this.

You can find out more about Bruce on his blog where he recently stirred things up by explaining that he doesn't secure his home's WiFi network.




TrackBack

TrackBack URL for this entry:
http://technologyevangelist.com/cgi-bin/mt-tb.fcgi/1347

Post a comment

Required fields marked with: *
Name*:


Email Address*:


URL:
Remember personal info?

Comments*:

HTML Tags you can use in your posts:
<b>Bold</b> = Bold
<i>Italicized</i> = Italicized
<a href="http://www.othersite.com">Link to Other Site</a> = Link to Other Site


Please keep comments on-topic. Contact authors or other commenters
directly for off-topic conversations.

Notify me of future comments via e-mail



Technology Evangelist Digest - Free Newsletter
Sign up for the free Technology Evangelist Digest to receive daily updates, editorials, and practical advice on emerging technology trends in hardware, software, webware, marketing and beyond.

Technology Evangelist Digest will keep you up to date on the technology trends that will help make you more productive and efficient both in business and your personal life.

Let's face it: If you made it to this line, you must have found something valuable on this page, right? Think about how cool it would be to have something free and interesting to read every day from Technology Evangelist by signing up today.

1. Fill in your email below,
2. Then click on the confirmation email you receive.
3. That's it. Your first Technology Evangelist Digest will arrive within 24 hours.




Previous Entries:


Tag Cloud