Why aren’t we learning long-term lessons from security disasters?

Why aren't we learning long-term lessons from security disasters?

Graph and man images from Shutterstock. Why aren't we learning long-term lessons from security disasters?Security and privacy problems seem to have grown bigger and badder over the last year, with ever larger breaches and data leaks, continual revelations on the depth and breadth of government snooping, worries about the efficacy of encryption techniques (even when properly applied), and gluts of software vulnerabilities building to a crescendo with the impending end of patches for one of the world’s most popular platforms.

For the most part our reaction to these developments is to plug leaks, implement workarounds, and make quick fixes.

But wiser heads need to be thinking further ahead, developing new protocols, processes and technologies that don’t stick a hasty patch over the latest problem, but push us towards a world where whole categories of problems are no longer a risk.

POS malware, XP end-of-life and data leaks

The recent massive data theft from retail chain Target appears to have been performed using point-of-sale (POS) malware infecting checkout systems in stores. The malware itself has been variously claimed to have Russian and Romanian origin, and may also have been involved in several other breaches.

POS malware has been a problem for a while, especially in the US thanks to the slow adoption of modern banking card security .

While not unbreakable, EMV technology and Chip and PIN offer a much better security against malware, usually requiring hardware-based attacks to get the data needed to clone cards.

So of course many people are pointing out that this upgrade is long overdue – both bankers and card makers have taken the opportunity to push for more speedy adoption, while others have gone even further, saying we should maybe think of dumping cards entirely in favour of fully digital solutions.

Banks have also been caught up in the XP end-of-life debacle, with apparently 95% of the world’s ATMs running XP and many of them unlikely to be upgraded in time for the final batch of patches.

Similar issues have been predicted in UK government and health service networks, with thousands of systems expected to miss the deadline for safe upgrading.

Again, why are we only doing this now? The “full” support period for XP came to an end in 2009, and it was pretty clear that we only had five years to plan our upgrade schedules. Many people are only now taking action, leaving too little time to organize a smooth and inexpensive transition.

Reactions to the biggest security story of the last year, the Snowden/NSA leaks, has been similarly overdue. Now that we know what’s been going on, we’re once again scrambling to fix the problem.

Big data security and zero-day exploits

The US may get some stricter rules controlling how much data spies can hoover up, while  governments are redefining how we expect software flaws and vulnerabilities to be treated.

Zero-day vulnerabilities should be patched to keep us all safe, rather than kept secret so that snoops can exploit them to sneak into any machine they feel like exploring.

Here too, we’re late to the table. It’s been well known for a while now that government agencies had deep pockets when it came to buying vulnerability info, but no one really tried to ensure they were buying them up for the right reasons.

As for the data gathering, of course such information will be of interest to spies, but there was never any real impetus to ensure it was properly controlled until the scandal broke.

Prevention is better than cure

So what’s our problem? Is it just our natural predilection for procrastination, putting off until tomorrow things that we really should have done quite some time ago?

That’s not a good way of implementing security or privacy controls. They need to be there as early as possible, well thought through and built in from the ground up in any system or process we use.

We can’t keep waiting for a disaster before we decide to put in disaster prevention procedures.

We need to start thinking further ahead, about what our potential weak points might be many years down the line, instead of scrambling to react to dangers as they emerge.

Images of graph and pointing man courtesy of Shutterstock.