Do We Really Need a Security Industry? 297
netbuzz noted that Bruce Schneir's latest column
discusses the security industry where he points out that "The primary reason the IT security industry exists is because IT products and services aren't naturally secure. If computers were already secure against viruses, there wouldn't be any need for antivirus products. If bad network traffic couldn't be used to attack computers, no one would bother buying a firewall. If there were no more buffer overflows, no one would have to buy products to protect against their effects. If the IT products we purchased were secure out of the box, we wouldn't have to spend billions every year making them secure."
Incorrect assumption (Score:4, Insightful)
If it's not virri or worms or buffer-overflows then it would be something else. Human intellect has this uncanny ability to grow and adapt.
O RLY? (Score:5, Insightful)
I see what he did there (Score:5, Insightful)
Utopia is a pretty cool place. I'd like to go there too.
Do we really need law enforcement? (Score:4, Insightful)
True, but not realistic. (Score:3, Insightful)
Yeah (Score:5, Insightful)
Security industry is needed (Score:5, Insightful)
Baby & Bathwater (Score:2, Insightful)
And if humans weren't always metabolizing away their energy store, we wouldn't need the food industy.
The point being that the computer is susceptible to these unfortunate side effects for the same reason that they're so successful in the first place - being part of an open ecosystem, being able to adapt, being able to interconnect, being able to hide information from users so that they can attend to value-add tasks.
Not that we couldn't minimize the exposure by operating more effectively, but eliminating them via design could eliminate the very utility that's allowed the computer and the networks to be so successful.
Mod parent up! (Score:5, Insightful)
Having a firewall may not force the workstation software providers to improve their security. But the firewall provides a single point where you can focus intensive monitoring efforts.
We live in a world where people will trade their password for a bar of chocolate.
Over time the technology WILL get better. We're already seeing some of that. But in the end, even with perfect software security, we will still have problems because PEOPLE will be using the systems.
Yeah, but... (Score:3, Insightful)
There is no way to absolutely positively guarantee any complex product can remain safe over a period of time as the environment it runs in will change through both vendor and user additions to that environment. And anyways, the market does not want to wait for 'secure.' The market hardly waits for 'workable.'
Bruce's question is interesting on some levels, but seems shallow in a number of ways. That being said I read him all the time.
Regards.
don't need one, but will always have one (Score:5, Insightful)
The companies that develop software know that (2) doing security properly is extremely expensive, and requires hiring skilled specialists, and inegrating those specialists at all levels of the development process.
When you take points (1) and (2) into consideration, you realize that there is a lot more ROI in developing cheap insecure software than there is in developing expensive secure software.
This is an example of capitalism failing due to poorly-informed consumers. But I can think of no way to solve the problem (a security quantifier???), so the industry will continue along as it does today: cheap software and band-aid security.
Bad reasoning in the article (Score:4, Insightful)
Which is like saying that the primary reason the physical security industry exists is because buildings aren't naturally secure.
That simply isn't true. It exists becasue people are sneaky little bastards who naturally want what other people have. You cannot make something secure enough to keep everyone out - physically or digitally.
Re:Yeah (Score:3, Insightful)
A major problem with this is that we'll never be inherently secure, and a false sense of security makes adverse events much nastier. I think it's a pipe dream (should I say tube dream?) to think that security infiltration will not keep advancing -- and the advance of infiltration tools is what requires us to get aftermarket security products.
Re:Security industry is needed (Score:4, Insightful)
Never underestimate the power of human stupidity.
Always remember that a human is in the matrix.
Re:Security industry is needed (Score:3, Insightful)
There is nothing that a computer can do to protect itself from a determined user with the root password. If I want to install the latest BonziCometWeatherCursorBuddyBug crapware then my PC can't stop me, no matter how secure the OS is. Even if OSes and applications could be 100% hardened against remote exploits, there's nothing that can be done about trojans, other than educating the users and using anti-malware products.
To be honest, I expect better from Schneier - he of all people should know this. He discusses exactly this problem in Applied Cryptography in the context of encryption - no matter how strong your encryption, if someone wants your data bad enough they can always just put a gun to your head. Same thing applies here - no matter how tough your PC, there's still a human involved to be the weakest link.
Sort of ... but not exactly. (Score:5, Insightful)
Now, take a default installation of Ubuntu Feisty Fawn. Even if you hook it straight into the Internet WITHOUT an external firewall (or running any firewall software) you'll still be very secure.
That's because, by default, there aren't any open ports. There's no way for any worms to attack your system. That's just basic security practice.
Now, there are other ways to crack a default Ubuntu installation. But they require that the admin have done something to make it LESS secure (or you can physically access the box).
Your example is about the physical world. And the problem there is that physical access is already assumed. We can take steps to REDUCE the physical access, but that still leaves social engineering attacks.
You will always need police just as you will always need sysadmins who will READ THE SECURITY LOGS. No matter how secure you are.
Re:Security industry is needed (Score:1, Insightful)
I love Bruce, I really do. (Score:2, Insightful)
Re:Sort of ... but not exactly. (Score:5, Insightful)
That is besides the fact that the original analogy is wrong. What Bruce thinks is that as computing becomes a utility the security needs will decrease.
I hate to disagree. They will remain, probably even increase to match the "it just works" expectations you have for an utility.
Utilities do not have less expenditure on security just because they have become a utility.
Water companies have to deal with mandatory security of the water supply. Gas companies have to deal with mandatory security of the gas grid. Electrical companies need to provide security of the electrical grid. Old style telecommunication companies have some very hefty obligations regarding the availability of their communications in an emergency and have expenditure related to that as well.
Add to this the day-to-day battle with fraud and theft of service. Even without "national minorities" going around and digging out all of your copper cables and selling them for scrap there is a very large expenditure on security in any utility. Granted, it no longer appears as an item on the end-user bill, but it is there none the less. And lots of it.
If it all ends up being folded into the utility fold it may in fact end up being more than now. Everything else aside a utility is obliged to maintain a certain standard of service, hence 100% of Joe Bloggs will be covered by AV and firewall, not 1% like now and so on.
In other news (Score:5, Insightful)
Do not run with analogies! (Score:5, Insightful)
Put down that analogy; you're liable to cut yourself. 8^)
Security in buildings and public places represents an utterly different problem set from software security. They have virtually nothing in common. Suggesting that software security today is like (heh) a walk in the park is wildly wrong.
I hate analogies, because they cloud things more than they clarify them. But if I were to use yours, I would say that if our buildings and public spaces were better policed, we wouldn't need to pay for personal, individual security guards who pat down and disarm even our friends before they allow us to so much as look at one another.
Schneier's point is valid. In a healthy, heterogeneous software environment, the threats are fundamentally different from those we face today. We could move from trying to protect ourselves from clicking on tainted image and document files(!) to creating secure site configurations tailored to our particular needs. I too dream about the day when we have configurations that are not so draconian that people are precluded by fear from taking advantage of some of the Internet's greatest advantages: the end to end network.
There are some who will say that software is inherently insecure, and that it cannot be secured. There are some who say that people using 'safe' technologies and processes are only safe by virtue of the fact that there are easier targets in abundance. They are wrong. And this is Schneier's point: Whatever inherent problems there may be in software security, the vast majority of Windows users - let's call a spade a spade - work in an environment that is so utterly flawed that there is a quantum difference between the security issues they face and the vastly more limited security issues they could be facing, if only the manufacturers would cease to treat security as a cost centre external to their core business.
Re:Incorrect assumption (Score:3, Insightful)
Do you need to bebug stuff? (Score:3, Insightful)
Re:I see what he did there (Score:2, Insightful)
Over the years, banks have become more and more secure, and a bank robber (a physical bank robber, not a hacker) has a very low probability of getting away with it without being caught. Why? Because banks have put a lot of effort into making their physical plant and their operating procedures secure. A casual non-technical person has no way of robbing a bank, short of pointing a gun in a teller's face. They don't have the knowledge or equipment necessary to crack a vault, and the bank's security cameras will capture their picture when they hand the teller a holdup note.
Physical security is not perfect - google "lock bumping" to see what I mean - but the physical security of banks has evolved to the point where it's just not worth it to try. There's no built-in flaws in bank vault locking systems that the equivalent of a "script kiddie" can exploit. They can carry out secure in-person transactions with great reliability, and the banking industry has spent a lot of money in training to reduce the occurrence of successful "social engineering" and insider attacks. They can use wire transfers to safely move trillions of dollars a day. They don't have to close down and upgrade their locks and alarms every month. Yet they are convenient and easy to use.
Can you say the same about your computer/network? Can you use it safely to interact with your creditors or to protect your valuables or your identity? Would you use it to protect your entire life savings? No, not even close. I see this point as the Holy Grail of computer security: When a reasonably cautious adult can trust their computer, and everyone else's, with their life, without expert intervention, we will have viable security. Granted, the banking industry has a three hundred year head start, but you can expect computing to move much faster.
He's right, you know.... (Score:5, Insightful)
Look at Cisco. More and more of the monitoring and mitigation systems we run are turning up as part of the switch in next generation gear.
Businesses want simple, cost effective systems that are built in to the infrastructure, don't get in the way of the money-making, and keep the bank and federal auditors happy.
Besides, the best security tools are free. And most of IT security is just plain common sense. You don't have to have been at it as long as I have to know that. The technology we use only works one way, so threats aren't that hard to figure out. The rule is to be aware of what runs on your network and keep an eye on what comes and goes. If in the years to come that's all built in, cool.
Re:Mod parent up! (Score:3, Insightful)
Re:Mod parent up! (Score:4, Insightful)
Re:Do not run with analogies! (Score:2, Insightful)
Now, let's say we give it a couple of entrances, but we place them up on the third floor so that only people with a tall ladder can get to the doors; the doors of course, have locks on them as well so only people with keys can enter. I'd compare this (somewhat roughly) to a computer with a floppy drive and a CD drive; people can mess with your computer, but only if they have physical access to it (generally rather difficult).
However, the previous idea is pretty awkward if you want people to be able to get work done. The UPS guy won't deliver packages to your building because he doesn't have a ladder, so you have to go down and get them, then bring them back up, it's hard to meet with other people to discuss business at your building because your business partners don't have a ladder, and of course, employees don't like just sitting in a windowless building all day under fluorescent lighting. So you now you give the building ground-floor entrances and windows; now people can enter the building more easily and employees don't get depressed from not seeing sunlight at all during work.
Of course, now you have a problem; burglars can easily get into your building by smashing the windows; they can easily reach the door and pick the locks. So now you need some security, an alarm system on the windows, security cameras and some security guards to watch the doors and the building in general. This is comparable to hooking your computer or network up to the internet and opening up the necesary ports; you can now get your work done easily, and even play around a bit, but at the same time your computer is less secure by nature. Sure, there are ways to make your computer more secure when connected to the internet, much like there are ways to building with security in mind; but ultimately security software is necessary if you're doing any serious business with your computer connected to the internet.
As to your point, I wouldn't say that software is inherently insecure, I'd say that software is inherenetly breachable. Can anyone point me to an OS that has never had a reported security breach and has been out at least one year? And while I agree that companies need to be more focused on security in their software, they also want to make sure their software convenient to use (particularly if it is meant for users with little technical knowledge); and in the end, when selling to many/most people, functionality and convenience trumps security. Perhaps if your business is serious about security, security trumps convenience, but I highly doubt it trumps functionality. And in the end, software isn't just breached due to errors in the programmer's thinking, but because a hacker has come up with a way to exploit the programmer's error, or to actually twist the functionality of the product itself.
Re:I see what he did there (Score:4, Insightful)
You make it sound like building software that is secure by nature is impossible. It isn't. SELinux is secure by nature. Qmail is secure by nature. Qmail is guaranteed by the programmer to not have security bugs, with a $500 bounty for the reporter of the first exploit.
Modern desktop operating systems have mediocre to poor design from a security perspective. They could be built a lot better, only they're not because it is far more profitable to not improve the security and focus on features instead (flashy window animations sell better than being bulletproof).
Heck, even the software I build for a living is far less secure than it could be, because I have feature-pressure forcing my hand.
Good points (Score:4, Insightful)
"Additionally, as long as IT security is a separate industry, there will be companies making money based on insecurity -- companies who will lose money if the internet becomes more secure."
All the commercial anti-virus software I've ever used has been full of FUD, displaying big red crosses and popup balloons telling me that my system is at risk because I haven't purchased some additional product or upgrade. I see the same companies rolling out stats about virus attacks and in mainstream media warning of the next big threat, doom saying wherever possible.
Personally, as a programmer, I think the weaknesses in software will be fixed and operating systems changed such that deep probing virus checkers are obsoleted. I'd happily see this whole FUD spreading portion of the security industry die.
Some of his points may however be too general:
"The whole IT security industry is an accident -- an artifact of how the computer industry developed."
There are still places where a security industry will always be needed, such as authentication though RSA tokens/smart-cards/biometrics and the associated infrastructure.
In general I think he's about right though. Over time software will improve and things will be built in such a way that common failures of today are obsoleted just like other engineering disciplines have improved methodologies e.g. airplanes are not built with square windows anymore - http://en.wikipedia.org/wiki/De_Havilland_Comet [wikipedia.org].
Re:Security industry is needed (Score:3, Insightful)
Re:I have a better question... (Score:3, Insightful)
I think that's what Mr. Schneier is getting at: most appliances and things we own have a reasonable amount of security out of the box, but not most computers. Standard security should be a concern addressed by the manufacturer, not the customer.
Re:Incorrect assumption (Score:3, Insightful)
To use an analogy, it's as if the locksmiths had convinced us all that we need to buy our car keys and anti-theft systems from them because automobile manufacturers are reluctant to add door locks.