Security: The Number One Technology Failure of All Time

I was reading through an article last night about the 25 greatest blunders in technology history and was happily strolling through memory lane (what are Palm Pilots, PS/2s and Apple Newtons anyways? :p) and then got quite a surprise at the very end of the article.  The number one technology failure of all time according to the article’s author (Neil McAllister) is … security!

First off, Neil is right. From a technology standpoint, security has failed. Neil argues that technology was built on top of an already insecure foundation, and so the result of anything on top of that foundation will be anything but secure. However, I would like to present some additional reasons why security may be the biggest wet blanket of all time. Read on.

In my opinion security is not a single “thing”.  Security has to do with much more than exploited vulnerabilities, hackers, and missing patches. This beast we call security actually has three heads.  They are:

  • People
  • Process
  • Technology

It’s when all three of these work together is when security is most effective. Unfortunately, neither of these three have been playing well together lately, if ever.  Neil did a great job covering the technology piece already, so I’ll talk about the other two. Also, each one of these aspects of security is a long discussion in itself so I am just going to share what I think is the top failure in each of the two remaining categories and would love to hear your thoughts too.

My Top People Reason Why Security Fails: Security Divas

A friend of mine, Steve, put it it best one time when we were hanging out in a bar after a full day of delivering presentations. He wisely noted “Security unfortunately has become something that people try to own, not something you are responsible for or contribute to. People start thinking they are the solution, rather than part of it.” Steve wasn’t using elite-speak (by “own” he didn’t mean “0Wn” as in compromise or gain root access on), he meant that security was something that people tried to claim as theirs, especially the successes, but none of the failures. These people tend see themselves not as a cog in the wheel, but rather they are the wheel. Their solution/service/thing-a-ma-gig as the only possible security allowed in their eyes. Any attempt not blessed by them to enhance or further security gets elephant stomped. To protect their golden egg they will set political fires behind your back and scratch and claw your face like a cornered cat. Their egos are often highly inflated and they are clouded by their own agendas.  They are the few rotten apples that ruin the rest of the basket. I call these people “security divas“.

It’s ironic that the users of security (desktop users, administrators, and grandmoms) get blamed for the failure of security. Some of the practioners (security divas in particular) could share some of that blame if you ask me.

My Top Process Reason Why Security Fails: Complexity

When I was young, I had problems with very basic math and nearly failed my first year of highschool (ironically I graduated with honors in mathematics and computer science from the University of Waterloo in Canada). The notion of negative numbers was just beyond me for the longest time. My parents would tell me over and over again “you’re making it this more complicated it has to be.” That perfectly describes today’s security processes.  Something that should be simple to solve, is over-thought and consistently complicated. “Attempt by W32.TrojanDropper.A-B/32_884.9 to access protected memory segment located at 0x45ED3FAC.  What would you like to do?” <– huh? How about letting the user know that “A compuer virus tried to infect your computer and we intercepted it, stop it or allow it to do so?” Or how about not even bothering the user at all and just taking care of it?  Give them the satisfaction that this piece of software they bought for $39.99 will make their life easier, rather than more complicated with obscure and cryptic warning messages? Today’s security processes, approaches and especially solutions etc. are often too complex and hard to use that even security experts have trouble with them. How can we then expect non-security experts to use them? Psss … those non-security experts end up not using those processes, approaches or solutions.  Start, Control Panel, Add or Remove Programs has to be one of the most common security key sequences by now.

There’s genius hidden in simplicity and my gut feeling is that someone will come up with a series of security solutions that are so simple and elegant that even if the wrong people are performing security they can still arrive at the right results. Until then, security will continue to stumble and get listed as a failure on lists such as Neil’s.

So there you have it, my top reasons for why security fails today are security divas and unnecessary complexity.  I’ll talk about my take on solutions sometime down the road. What are some of the reasons why you think security has failed?

–Kevin

About these ads

17 Comments

  1. Posted January 4, 2009 at 1:56 am | Permalink

    So true.

    A false sense of security is worse than no security at all. It creates an artificial feeling of security that leads to complacence…

    Sunil

  2. Posted January 4, 2009 at 3:28 pm | Permalink

    Hi Sunil, that’s a good point: often security is sold in absolutes, “this will make your stuff secure”, “you’ll be secure after this!” Promotes a false sense of security, and when it doesn’t live up to what is promised the confidence in security gets degraded. Thanks for the comment!

    –Kevin

  3. Debapriyay
    Posted January 5, 2009 at 2:05 am | Permalink

    So, what do we do? If thats the case, then should we keep our network open with no security mechanism at all in place. Thats also not feasible.

    So, where does the gap lie?

  4. Posted January 5, 2009 at 2:19 am | Permalink

    I hope you’re joking about leaving your networks open :p. No, you certainly don’t give up, but in order to effectively resolve something (not just security) the reasons for failure need to be identified first so an effective solution can be crafted — so the point of the blog was not an all-hands call for everyone to lay down and wait to get run over ;p.

    I found Neil’s article so interesting, because it got me thinking about things that were hindering security from really flourishing and what road blocks could be removed. But first, what are those roadblocks? Thanks for taking the time to post your comment!

    –Kevin

  5. Debapriyay
    Posted January 5, 2009 at 5:28 am | Permalink

    Hi Kevin,
    I agree to your other two points “people” and “process”. There are security breaches because of insider threats … isn’t it.
    But, the question is how do you use your security tools and policies to enforce a process, within which its difficult for a person to launch any threat from inside. And also it should not provide any room to exploit anything.
    Some other security tools getting emerged what I can think of … and which will take advantage of existing security tools to enforce a very stringent policy. This together will ensure people gets educated about the existing security policy and will do accordingly … and also will not be able to pose any insider threat.

    Regards
    Debapriyay

  6. Posted January 5, 2009 at 4:37 pm | Permalink

    Hi Debapriyay, regrding the insider threat I think the technology to make it difficult for someone to launch an inside threat is available. It’s maintaining it and measuring it that is the tougher question to answer (back to process again). Thanks for the comment!

    –Kevin

  7. Debapriyay
    Posted January 5, 2009 at 10:24 pm | Permalink

    Hi Kevin,
    Can you please, let me know the technology which can make insider threat difficult. Is it an user behavior profiling based approach?
    Going back to your first post, I think what gives us a wrong impression of security is the inability of the existing technology to handle “anomaly intrusions”. But, its difficult to enumerrate them, unlike the signatures for “known intrusions”. What needs to be matrured, in my opinion, is the ability to handle anomaly intrusions with ease by the tools and methods. But, that again depends on being able to list all the existing vulnerabilities (what if a new vulnerability gets added), I mean a complete coverage of all the vulnerabilities. But, I think thats also not feasible, and hence there will always be some gap right. But, still I think thats the biggest challenge, being able to cope “anomaly intrusions”. What do you think?

    Thanks.

    Regards
    Debapriyay

  8. Posted January 6, 2009 at 9:53 am | Permalink

    Hi Debapriyay, I mean the “technology is available” in a general way. How to reduce risk from insider threat can be solved depending on the situation. If the threat is network based, then there are network technologies to help, if it’s application-based then also there are technologies.

    About detecting “anomaly intrusions”, again I think technology may be good, but useless if the other two parts don’t play along (people and process). Yes, there will always be some gap, but the key is is that gap acceptable or not? Acceptable to what? I would like to see the industry move more towards an actual risk management practice which takes all three into account. Thanks again,

    –Kevin

  9. Debapriyay
    Posted January 6, 2009 at 10:32 am | Permalink

    Hi Kevin,
    Thanks for your clarification and answers.
    Thanks.

    Regards
    Debapriyay

  10. Posted January 7, 2009 at 5:44 pm | Permalink

    Hi Kevin,
    Process and people are only starting to get the recognition that they should have had as part of the Information Security equation all along. For the past 5+ years, most solutions have been based on the Fear and Uncertainty created by both the industry and vendors resulting in mnay point solutions being implemented within organisations. Senior Business executives have not known how to control, analyse, or measure the results and as such have left it largely to the IT Departments to handle, adding to the focus on technology being the total solution and not part of it.
    Business need to identify and perform information risk analysis on their information (this is seperate to systems based risk analysis) which then forms the basis for solutions (incorporating people, process and technology) to close the gap to the level stated as acceptable by the Business. We currently teach this method to large organisation who have spent enormous amounts on technology, some which is relevant and some which is doing nothing more than being an excessive cost to the business.
    Good process has not been implemented at the same rate as technology, yet without good processes, in many cases the technology is worthless. This we are seeing over and over.
    – Sallie

  11. Posted January 7, 2009 at 6:03 pm | Permalink

    Kevin makes a very good point that people, process and technology make for good security.

    Although NitroSecurity provides Unified Security Management via the only integrated solution comprised of SIEM, Log Management, Database Auditing and IPS, we still must educate our customers on modifying poor security policies and adopting best practices. Good processes, educated users and superior technology can provide safeguards for a companies most important asset, its data!

  12. Posted January 8, 2009 at 10:01 am | Permalink

    Sallie, I like your point a lot about Fear Uncertainty and Doubt (FUD)! Amongst many things, FUD is a personal gripe of mine and I had a post on this lined up way down the road, but I am glad you gave this one some light –I can’t think of a single thing that FUD accomplishes positively in the long run!

    –Kevin

  13. Posted January 8, 2009 at 10:10 am | Permalink

    John, great points as well. You can have really good technology, but without a balance of the other two (process and people) your security strategy won’t be effective. Same with the other two, good process doesn’t help much if you don’t have the right technology or people supporting it.

    –Kevin

  14. marb
    Posted January 15, 2009 at 2:07 pm | Permalink

    I don’t believe that people care about security like some people don’t care about what they eat. People know eating and drinking certain ways has ill effects, but do it anyway because 1) they will somehow magically escape the consequences and 2) they’ll do better later, before disaster strikes.

    It’s the same with security. Yes, complexity needs to be simplified, but I don’t see that all of security can be made simple; technology is complicates; so is securing that technology.
    I think human behavior can be changed if it is provided the proper stimulus. I have long advocated a security/compliance section be added to performance reviews at work and provide the same kind of rewards/consequences as other parts of the review (making deadlines, being a team player, etc.).

    It won’t solve the home problem, but it will trickle down at least a bit. Not a total solution, but who is successfully addressing the human factor? I don’t see any.

  15. Posted January 16, 2009 at 2:21 am | Permalink

    Hi Marb,

    Exactly as you put it, not every aspect of security can be simplified. There will be things that can be simplified and things that cannot — my hope is that the things that can be will be simplified, because they sure aren’t right now :). Thanks for taking the time to post and share your thoughts!

    –Kevin

  16. Mike Mudd
    Posted January 27, 2009 at 12:01 pm | Permalink

    If there was perfect security there would not be any bank robberies, auto thefts, burglarys or other crimes against property.

    IT security is the same, it is work in prograss to try and keep one step ahead of the bad guys as are bank vaults, auto protection (both electronic and physical,and home security. It is what keeps us employed, go with the flow…

  17. Posted January 27, 2009 at 10:17 pm | Permalink

    Hey Mike, definitely the inefficiencies and failures of security keep people like you and I employed. You also make a really good point, “go with the flow” … definitely, so far security has been against th grain/flow … just saying that there is great opportunity for improvement!

    –Kevin


Post a Comment

Required fields are marked *
*
*

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: