Why aren't we learning long-term lessons from security disasters?

Filed Under: Featured, Security threats

Graph and man images from Shutterstock. Why aren't we learning long-term lessons from security disasters?Security and privacy problems seem to have grown bigger and badder over the last year, with ever larger breaches and data leaks, continual revelations on the depth and breadth of government snooping, worries about the efficacy of encryption techniques (even when properly applied), and gluts of software vulnerabilities building to a crescendo with the impending end of patches for one of the world's most popular platforms.

For the most part our reaction to these developments is to plug leaks, implement workarounds, and make quick fixes.

But wiser heads need to be thinking further ahead, developing new protocols, processes and technologies that don't stick a hasty patch over the latest problem, but push us towards a world where whole categories of problems are no longer a risk.

POS malware, XP end-of-life and data leaks

The recent massive data theft from retail chain Target appears to have been performed using point-of-sale (POS) malware infecting checkout systems in stores. The malware itself has been variously claimed to have Russian and Romanian origin, and may also have been involved in several other breaches.

POS malware has been a problem for a while, especially in the US thanks to the slow adoption of modern banking card security .

While not unbreakable, EMV technology and Chip and PIN offer a much better security against malware, usually requiring hardware-based attacks to get the data needed to clone cards.

So of course many people are pointing out that this upgrade is long overdue - both bankers and card makers have taken the opportunity to push for more speedy adoption, while others have gone even further, saying we should maybe think of dumping cards entirely in favour of fully digital solutions.

Banks have also been caught up in the XP end-of-life debacle, with apparently 95% of the world's ATMs running XP and many of them unlikely to be upgraded in time for the final batch of patches.

Similar issues have been predicted in UK government and health service networks, with thousands of systems expected to miss the deadline for safe upgrading.

Again, why are we only doing this now? The "full" support period for XP came to an end in 2009, and it was pretty clear that we only had five years to plan our upgrade schedules. Many people are only now taking action, leaving too little time to organize a smooth and inexpensive transition.

Reactions to the biggest security story of the last year, the Snowden/NSA leaks, has been similarly overdue. Now that we know what's been going on, we're once again scrambling to fix the problem.

Big data security and zero-day exploits

The US may get some stricter rules controlling how much data spies can hoover up, while  governments are redefining how we expect software flaws and vulnerabilities to be treated.

Zero-day vulnerabilities should be patched to keep us all safe, rather than kept secret so that snoops can exploit them to sneak into any machine they feel like exploring.

Here too, we're late to the table. It's been well known for a while now that government agencies had deep pockets when it came to buying vulnerability info, but no one really tried to ensure they were buying them up for the right reasons.

As for the data gathering, of course such information will be of interest to spies, but there was never any real impetus to ensure it was properly controlled until the scandal broke.

Prevention is better than cure

So what's our problem? Is it just our natural predilection for procrastination, putting off until tomorrow things that we really should have done quite some time ago?

That's not a good way of implementing security or privacy controls. They need to be there as early as possible, well thought through and built in from the ground up in any system or process we use.

We can't keep waiting for a disaster before we decide to put in disaster prevention procedures.

We need to start thinking further ahead, about what our potential weak points might be many years down the line, instead of scrambling to react to dangers as they emerge.

Images of graph and pointing man courtesy of Shutterstock.

, , , ,

You might like

13 Responses to Why aren't we learning long-term lessons from security disasters?

  1. Steve Stone · 627 days ago

    Why is XP still in use today? Probably same reason that in the mid to late 1990s I saw Ford parts counter PCs running OS2. The industry has invested in XP, Upgrades to modern OS would require hardware and infrastructure upgrades that would eat into profits, business can write off losses as a cost of doing business, Financial businesses are not seeing their profit significantly decline because of security issues... until now perhaps?

  2. "Why aren't we learning long-term lessons from security disasters?"... that's a simple answer...

    ...because nobody is going to jail...

    ...because an apology always makes everything OK...

    ...because in America, if the "fix" costs me more time to do anything, then it's not worth it...

    ...because, like everything else someone will put a $$$ figure on what it will take to fix and then we, not the companies will pay that cost...

    Chose one.

    • Baron von Robber · 627 days ago

      Because those in charge are only interested in short-term profits.

  3. Andrew Yeomans · 627 days ago

    Simple reason - in many or most organisations, "security" is a cost centre rather than a profit centre.

    Now if the value of data had to be directly reported in the company annual report, the situation might change.

    • LonerVamp · 626 days ago

      This sort of transparency is scary, though! It will reveal how personal data is used for other revenue-generating means, like being sold for advertising.

  4. Beryl · 626 days ago

    "Experience and history show us that People and governments nerver learned from history, that they never acted by the lessons they could have learned"

  5. Sam · 626 days ago

    It was ever thus ... and probably always will be. I have been in charge of/ involved in/ interested in data and IT security for about 35 years and the managerial problems today are no different from those of the 1970s and 80s.

    I think I have said here before - nothing will change until companies are required to have their security reviewed as part of their annual audit and reported on in the Annual Report. It should also be a consideration in the renewal of a banking licence.

    • That's quite sad to hear. :/ At least it seems like I'm not wrong in being paranoid about my account security.

  6. Deramin · 626 days ago

    Many of the very oldest stories in any culture talk about a catastrophic flood. Bad floods kill thousands of people and cost millions to billion of dollars in damages. We know exactly how to avoid being in their path, and where that path will be. We can easily avoid most of those significant losses. But we don't even have enough will and foresight to deal with that problem, let alone the security problems of our own design.

    The basic problem is that humans don't really believe the future exists, and we don't believe that catastrophes will happen to us. Even perfectly predictable ones.We're wired to think we can get away with it. I think we should fight for a world of good planning and mitigated disasters, but know that in doing you are fighting the whole of human history and instinct.

  7. Timothy Meryweather · 625 days ago

    As Steve and Andrew stated above - business runs on profit and loss statements. Anything remotely dealing with security is a cost-inhibitor to the profit line. Having worked for a national car loan agency, I learned 'doing the right thing' was anti-business: they stood to lose more money tracking down ID Theft stolen cars, having the suspect arrested, and auctioning the car than if they simply wrote the whole loan amount off as a loss. Upside down thinking for most people but perfect sense for the spreadsheet-bottom-line-profit-column focused BoD's. ONLY when they themselves are directly impacted by loss or fear-of-life (their own) will they override the spreadsheet.

  8. Bill Caelli · 625 days ago

    Simple - the "father" of info security, the late Dr Willis Ware of Rand Corp, put it so well over 30 years ago - "market forces have NEVER resulted in the development and sale of secure systems!" No surprise - remember seat belts in cars, regulation of the aviation services industry, food and pharmaceuticals..... and on and on.... It is the job of Government in a democracy to provide the mechanisms, via legislation, to protect the citizenry and the ICT industry is no exception! (Yes- there is an RAF, etc. you know!)

    For example, how many SELinux type servers are deployed, who is even thinking of SEAndroid, what about "mandatory access control" structures, anyone serious about DNSSec, and so on - really, nothing much at all!!

    Yes -as the great US Senator Sam Nunn put it in the mid-1990s - America will not respond until there is an electronic Pearl Harbor. .... may be then Governments and politicians will take there responsibility in mandating a hardening of national information infrastructure seriously - they aren't now! or perhaps that new Chinese operating system may take security seriously...hmmm...

  9. An open question here: How many of those ATMs running Windows XP, are actually running XP Embedded? This answer matters more than one might think, because XP Embedded doesn't reach end of life until 2016 ... as long as it was brought up to SP 3 (http://support.microsoft.com/lifecycle/search/default.aspx?sort=PN&alpha=Windows+XP+Embedded&Filter=FilterNO)

    Granted, if any of those ATMs are running XP E rather than "true" XP, I sincerely doubt that the banks who operate them are going to do as they should and spend the next two years upgrading them in advance of EOL. No, they'll do what most businesses do, which is to wait until the last minute to upgrade, or worse, let the deadline slip by without upgrading, then rush around trying to replace ATMs after support has lapsed.

    All I'm doing is pointing out that, in the case of XP E, the tech media needs to stop ringing alarm bells, because it'll continue being supported for another 2 years.

  10. Mark Sitkowski · 618 days ago

    Let's see if that's true.
    Here is a guaranteed solution to the credit card/retailer problem, which doesn't need major system redesigns, or fancy cards - we'll see if anyone takes it up:
    First, the credit card companies give everyone a UserID, which gets put on the credit card, instead of the number.
    Next, everyone chooses a keyword, like 'NeimanMarcus' or 'Target' (too soon?).
    The POS system connects to the credit card company, as usual but, instead of prompting for a password, it displays a matrix of upper/lowercase alphabets, with a random pattern of 1's and 0's underneath.
    The user types the 1's and 0's corresponding to his keyword, which goes to the credit card company for approval. After limit checks, expiry checks etc, the user is approved.
    The next time the user makes a purchase, the pattern of 1's and 0's is completely different, so the previously typed code is useless to an attacker. Doesn't matter whether it's malware, network snoopers, or spy cameras, the information is always useless.
    For obvious reasons, anything in the retailer's logs is also totally useless.
    Now, let's see if this has been a learning experience, shall we?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

John Hawes is Chief of Operations at Virus Bulletin, running independent anti-malware testing there since 2006. With over a decade of experience testing security products, John was elected to the board of directors of the Anti-Malware Testing Standards Organisation (AMTSO) in 2011.