Saturday, 27 October 2007

Trends in Information Security

The final session of the conference was the best. It featured Bruce Schneier speaking on Ten trends in Information Security. According to his biography, Bruce Schneier is an internationally renowned security technologist, referred to by The Economist as a "security guru." He is the CTO of BT Counterpane and the author of eight books -- including the best sellers "Beyond Fear: Thinking Sensibly about Security in an Uncertain World," "Secrets and Lies," and "Applied Cryptography," and the influential Blowfish and Twofish encryption algorithms.

His talk was well presented and thought provoking. I'm going to try and blog it almost as he gave it:

His 10 trends were:
1 The economic value of information
Information is becoming more valuable and as storage becoming cheaper, there's more of it. Think of how much information Amazon has about you. It's often cheaper to keep than throw away.

2 Networks as critical infrastructure
How often do we think about something that comes in the mail - this can't be important. If it was, we'd have got it by email.

3 Third parties controlling information
Think about how much of information about you is stored somewhere (do you know where?) by someone other than you. Your email is somewhere else. If you delete it, they may not delete it. Your mobile phone information, medical records are all somewhere else. Your information is widely distribted and the security of it is out of your hands. This is going to get worse as more distributed applications are developed.

4 Criminals thriving on the internet
The nature of hacking on the net has changed. It used to be hackers defacing web pages, (how quaint!). Now they're looking for money. It's not a hobby anymore. Identify theft is another name for fraud. There is a market for exploits and criminals are taking over attacks.

5 Ever increasing complexity
Complexity is the worst enemy of security. As things get more complex, security is getting worse. Security is getting better but complexity is getting worse faster.

6 Slower patching and faster exploits
Concept of throw it out there and patch it if it doesn't work, doesn't work for anything other than software! Patches have to work, be reliable, be well tested, and timely - ie released in hours or days. Can't do. So, companies that have to release a lot of patches, lets just make one up - Microsoft - came up with idea of releasing patches in a regular cycle of a patch release every month. This is much more reliable But there’s a window of vunerability of up to a month - the bad guys release their vunerabilities on patch Tuesday to get the maximum window

7 Sophistication of automatic worms
Worms getting more sophisticated. They are targeted, better written and quieter. They used to put a message on your screen and wipe your hard-disk. The criminal worm sits on your computer and doesn’t advertise its presence.

8 Untrustworthiness of the endpoints
Most of our security is designed according to a WW2 paradigm - one sender, one receiver and a transmission link. Security is based on the transmission link. But, the real threat is the endpoint. What good is encryption if the receiving computer is compromised. For example it doesn’t matter how good your vpn is if the PC is controlled by spyware.
Are our student computers secure?

9 The end user as attacker
We're building security that doesn’t protect the end user from bad things, but protects the company from the end user. Can’t do both. Example of Sony putting software on your PC to track what you're doing with music downloads, but it makes your PC more susceptible to spyware.

10 Regulatory pressure
Increasing all the time. Two basic sales techniques - fear and greed. Security is a fear sell.
Regulation is best stick for people to beat their bosses with to get more money for it security.

Above are increasingly important trends – not going to get better. Non technical aspects of security are more important then the technical ones. IT Economics also have to be taken into account. So, here are 4 aspects of IT Economics:

1 The network effect
A network gets more valuable the more people are on it. This is true for all networks – EDUCAUSE, cell phones, gaming platforms. The more people in a network, the bigger it gets.
Leads to dominant markets

2 High fixed costs, low marginal cots
True for lots of things, eg music, but especially for software. The first copy costs millions, the rest are free becuase the costs are in development, not in manufacture. So how do you recover fixed costs? You use patents, copyrights, trademarks. Also proprietary accessories, eg printer cartridges. Also tends to lead to dominant markets.

3 High switching costs or lock in
Very important in IT as switching costs are very big. If you don't like pepsi, you can drink a coke tomorrow, but if you want to change your word processor? Retraining costs, converting data etc. High switching costs drives a lot of IT economics and leads to worse products and services. And the MS policy of throw it out now, get it right later.

4 A Market for Lemons
All about asymmetric markets ie the seller knows more about the product than the buyer. When a buyer can’t tell difference between a good product and a bad product, good products are driven out of the market. Happened with firewall software a few years ago. Buyers have to rely on signals, eg third party reviews, awards, Gartner, reputation.
Important in security and is why you see some good products not survive.

We're constantly making trade offs. Security failures are often economic failures but standard risk assessment difficult to do and there's a lack of good data. When you have a very low risk event with a very high cost, the maths don't work (try multiplying zero by infinity).
There's also a poor understanding of costs which are often intangible. How much is privacy worth?

Very important in security. This is the effect of a decision not borne by the decision maker.
Eg we own a chemical plant, it pollutes the river, kills people, we don’t live downriver, we don’t care.

It's everywhere in security. The whole of the security of the internet depends on your mother's computer. Why should she care - as long as she can read her emails.
Counterfeit money – why don't they teach us how to recognise it? Because it's not in your interest to find it in your wallet! If they told you how to do it you wouldn’t look.
Software vendors don’t care, especially if they're a monopoly.
Cell phone vendors – spend loads of money making sure you can’t buy a third party battery, but none on voice traffic security.

So, you have to modify the cost benefit trade off. In the example of the chemical plant it would be litigation – allow people to sue. Or regulation. Both raise the cost of polluting the river. Makes cost internal. Then the market should take over.

May see this in IT security soon – software vendors will be liable for bugs which cause us losses. There's no other way to solve the problem.

When you think of security, think of economics. If the economic motivation is not there, security will not get deployed.


pj said...

William Gibson where are you? - sounds like a re-read of Neuromancer coming up.

Graham said...

Great write up - very useful G