Would you like for your car to run faster? Well, it’s easy. Just shed excess weight on the vehicle. Get rid of the doors, seat cushions, seat belts, airbags, windows, the roof, electronic systems, and man! That car will MOVE!
What’s that I hear you say? It will be unsafe? Well, pardon me, but you wanted it to be faster. You said nothing about preserving the current level of safety.
And although I doubt that any sensible person would want to drive that vehicle at top speeds, we do precisely the same things with our Internet usage and our programs and apps. We want them to be as fast as possible and, if it means less security, we accept the higher risk by saying “I’ll be careful!” and then going forth to enjoy the higher efficiency without really being any sort of careful at all. Why?
It’s simple to my mind. Our brains are well aware of the possible bodily harm that can result from a car accident, so we reject a tradeoff of mayhem mitigation for super speed. But a computer application? A website? No physical harm can result from using those things, so why not worry less and enjoy them more? We simply don’t think of the potential financial and personal wreckage that could result from unsecured data transfers. We fail to see that the injuries from unsafe computing are very real and very damaging and very permanent. If we did see what could happen, we’d ask for the digital version of safety belts, every time.
I’ll point a finger at programmers and designers: they want their customers to have the smoothest experience possible. That smooth experience makes money or facilitates the making of money, so it’s no small thing. But, again, the blindness to the risks in the digital world mean that those designers and programmers aren’t necessarily thinking about the safety of that experience. This is particularly evident in the emerging area of “smart controls”. Smart controls basically turn a phone or a laptop into a giant remote control device for something that used to not be remotely controlled.
Even the idea of remote control doesn’t sound all that bad. Our teevee remote controls do just fine, don’t they? But would you maintain that benevolent attitude towards your teevee remote if some kid a mile away was able to interfere with your choices and put your channel choice on anything he wanted? It’s no mistake that a “nightmare scenario” in many a spy thriller or sci-fi flick involved The Bad Guy taking over the airwaves and forcing the world to watch whatever he dictated. Stuff like that really freaks us out. Well, how about a nightmare scenario in which The Bad Guy messes with your thermostat? Or forces you to order an extra gallon of milk? Or locks all the world’s ovens on cleaning mode?
OK, so those are all #firstworldproblems. But the ones that can hit the third world involve disruption of power grids or supply chains. How about a man-in-the-middle attack that scrapes a few pennies out of every bank account in India? In places where microcredit is embedded into the local economy, such an attack could destroy lives. Who would do such a thing? Well, there’s a Marxist insurgency in about a third of India, so there’s my first candidate to execute such a move.
A home with a closed, unlocked door offers more security than some of these highly efficient applications. I mean, at least the door is closed, so that someone has to make an effort to see what’s going on inside. Far too many apps send every transaction, back and forth, in plain text.
Now, there are some security measures that are as easy as locking a door. But there are also some security measures that are as difficult as putting on a suit of plate armor and mounting a horse. As one would expect, the more complete security measures are also those that involve the biggest drags on performance. But look at it this way: which vehicle would you rather operate, a unicycle with a solid-rocket booster engine, or a comprehensively-tested motor vehicle with excellent safety ratings from its excellent safety features? While the unicycle rocket will definitely move faster than that car, the car exposes its operator to a much shorter list of potential hazards. For example, “death due to improper aim at start of journey” is a biggie to consider with the unicycle, not so much with the car.
So it should be in the programming and development world. It’s my frustration as a security professional to see security treated as a cost that should be minimized. Too often, I’ve heard of businesses that refused to stand for a reduction in efficiency that later wound up with their doors shut for good within days of the major breach that happens in the early days of their existence. To treat security as a costly afterthought is tantamount to saying one or more of the following phrases:
“I’d like to have all my employees lose their job after a major breach, which is statistically bound to happen very soon.”
“I would prefer for my company’s intellectual property to be in the hands of my competitors, preferably without my knowledge or ability to get recourse through criminal and/or civil courts.”
“I feel much better knowing that, when my financial records are breached, the criminals involved will enjoy high levels of server uptime, plenty of bandwidth, and be ‘very satisfied’ with their experience in compromising my network.”
“Our company’s vision statement is: We will have synergies of poor security and high ease of use enable criminals to have first grab at our profits, even before we pay our fixed or variable costs.”
That last one might actually get shareholder attention.
But what to do? I’m not a C-something-O or a member of any board or anything like that. I can’t tell my company or any other company that there are areas where security is a joke, and that’s where to expect the next breach. Even if I was a CxO or chairman of the board, there’s no guarantee that I’d have all my company’s employees take security seriously enough to realize when they need to help implement it. This becomes a huge deal in major corporations, where employees tend to reject anything not done 100% by the book, and offer little or no help after making the rejection. Now, the “why” of that may have more to do with outsourcing and other heinous practices to control labor costs, but it does point up the old Machiavellian maxim that mercenaries aren’t going to protect you as passionately or as effectively as your own citizens.
So, if you want to predict where the next headline-grabbing breach will be, look for a major company with a massive contract labor pool in place of full-time employees, that also brags about how fast and effective its operations are. That’s where the money is and, chances are, also where the advanced persistent threats are already embedded in the system.
Who knows? Maybe even one of those threats is so embedded, it even has a section of actual employees tucked away somewhere that actually provide technical support for it. They file exemptions with anti-malware groups and open up firewall rules and away they go…
So, to sum up, efficiency without security is reckless endangerment. We should be ready to have things be at least a little slower so that we can enjoy a greater measure of security.
For more, feel free to visit and join up with http://www.networking-forums.com.