Blog article
See all stories ยป

More shock news: the internet isn't secure!

You may have noticed a lot of security news in the media recently - whether it's the latest victim of hacker group Lulz Security, the folks at Lockheed Martin or the Anonymous group activities. Or closer to home - Citigroup.

You may be disgusted by the (lack of) security, you may applaud the efforts of the hackers and you may be thinking about your own systems. Your email account. Your credit card information in Amazon.

The nasty truth is simple : there is no way to absolutely secure your systems.

Actually, this isn't new. Although not talking about the internet, Eisenhower 's quote "We will bankrupt ourselves in the vain search for absolute security." seems even more apt , but it doesn't mean that you shouldn't try.

According to the NYT "Thieves Found Citigroup Site an Easy Entry" - and if the details in that article turn out to be true, well - let's just say they didn't try very hard.

So if you make it hard, you might just be ok. "There is no castle so strong that it cannot be overthrown by money." alleges Cicero, and he's probably right. Throw enough money at a hacking effort and it will succeed. But if the effort outweighs the reward, it's much less likely that they will bother. Because at that point it ceases to be economically viable to hack you. 

It's not just about password policies, memorable information or a clean penetration test result. It's not just about making sure every developer knows about security. It's not just about getting it right first time, and not succumbing to  the prevalent "ship now, patch later" mentality. It's not just about making sure your users are educated, and know what to do if they get hacked. It's about all of this and more - building security into everything that you do from the ground up by giving security equal, if not greater, "feature citizenship" as the "regular" business and non-functional requirements. And that means educating a whole raft of people. And those users ? Guess what - you have to educate them too.

And it's about knowing that despite all of this, you will still not be safe. Because "they" only have to get "lucky" once, whereas "we" have to be "lucky" every time.

It's not all bad though. The advent of IPv6 and the open source communities are beginning to close some of those security doors that have been propped open, and it's not just the likes of OWASP.

I suspect that many security professionals (secretly?) love what LulzSec are doing - a spectacular enough cyber crime spree to make the world take notice. This should help the discussion about security next time someone has a great new project idea, because it's scary when people breach your security and publicly mock you. And your bank is in the headlines with the words "hack" and "easy". So maybe, just maybe, there's some good to come from it.

Of course, there's "hacking" and then there's taking your web site down via a DDoS attack. And that's a whole different give away bag of virus ridden USB keys.

3219

Comments: (1)

A Finextra member
A Finextra member 17 June, 2011, 02:43Be the first to give this comment the thumbs up 0 likes

As we have seen, gadgets don't work to keep secrets (and secret recipes to secret gadgets can't be kept secret).

It must be occurring to everyone about now that a system which relies on keeping diversified data, passwords and personal information secure - is failed before it starts. Perhaps then we might imagine not sending all that private information around, exposing it, or even storing it anywhere publicly accessible.

I guess that would be too simple and lead to mass unemployment in the cyber-security snake oil industry.

Oh well....

Now hiring