Solving the unsolvable?

26 Mar 2007

Imagine you are living in a beautiful house, but the walls are constantly needed to be patched, the floor is not level, and the house tends to flood. You keep hiring contractors to fill the holes in the dry wall, add supports, re-lay tiling, and clean up the water damage. You can maintain this process for the next several decades before the house becomes hazardous, but most people would become suspicious after the first year or two. It is only then to they step outside the problem and look at the structural foundations, only to realize that the house was built on top of sand and right next to an ocean…

So, what is the point? What does that have to do with computer security?

That house is the computer and Internet — the icons of the Information Age, and we’ve been living in a rotting house since 1970 (but did not start to notice until the mid 1990′s). Security has become a huge issue, and we are just trying to survive by throwing technology and halfbaked ideas at the problem.

When it comes to digital security, why do we always try to bandage and mitigate problems instead of solving them? Anti-virus is just about dead. Firewalls can do only so much. IDS systems are fairly error prone and don’t do well as preventing new attacks. Our authentication and permissions systems consist of archaic passwords and rwx file permissions.

The chips and memory and programming techniques have advanced, but security has done very little to keep pace. We cannot do much to stop e-mail spam, control network activity, or prevent against attacks because the network, hardware, operating systems, and applications either don’t support security or implement it as an afterthought. I mean, how are we suppose to protect ourselves if we are facing more than 15 new vulnerabilities per day!

Most users cannot and do not track and maintain their installed programs. Most don’t know how to be more secure and are not savvy enough to even understand how to work today’s complex (security) software. Remember: Your security is only as good as your weakest point; I only need to find one hole in order to slip past your security.

Security is a never ending battle for the defenders, which becomes more bleak when you realize that there is absolutely no way of winning. I think the only way we are going to have any real success is to compile all of our lessons learned from the past few decades, go back to the drawing board, and redraft the architecture of networks, computers, and software. Build security and usability into the design from the start. Take the bullet out of the gun and enable the safety to prevent people from getting attack (or shooting themself in the foot).

Posted by bockel
Filed in security
Leave a Comment »

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

Follow

Get every new post delivered to your Inbox.