Sunday, March 05, 2006

Will security ever "get done"?

Here is a fun piece that I wrote recently, based on some stuff I read in the security media. I was planning to publish it elsehwere, but this place is as good as others :-)

Will security ever get done?
by Anton Chuvakin

Here is a fun thing to think about: with security, will we ever really be “done”? Before you, my esteemed security colleague, emphatically scream “NO!” let us consider this – admittedly philosophical – problem in-depth. There is also a related question that we will try to answer en-route to the above more general pursuit: will security become so boring that only boring people will do it (something akin to physical security guards)? In addition, we will touch another “messy question,” the one of “security consolidation”, that generated some attention lately (see, for example, this, this or this where some pundits and pundit wonnabes spout about it…)

Before we hear some pro and con arguments, let’s stop and think for a second: what security are we talking about? Network security? Software security? IT security? Data security? Or, information security in general? I would prefer to have this question answered for the broader information security realm.

So, why some folks think that “security problem” will be solved in the future?

  • OS and application vendors will improve the security of their wares and gear so that security problems will not gather as much attention as now
  • Network infrastructure vendors will “embed” security in their offerings and thus address a wide range of current “top shelf” security problems, such as worms, overall reducing the importance of security
  • Similarly, large security companies will combine all sorts of defenses into largely automated “security bundles” and will “protect everybody” with them
  • As new technologies develop, people will learn from the mistakes that plague us now and will start doing things right from scratch (e.g. IPv6 vs IPv4 situation)
  • In particular, new software projects will “build security in” and thus will not provide such a huge attack surface as do the current “crapware” products
  • IT users, both home and the enterprise kind, will be finally educated and thus will avoid the most costly security mistakes, such as running untrusted code (OK, this one is just a tad too naïve to be mentioned here (, if not for the sake of completeness)
Did I miss any? Feel free to comment or email me and I will update the list.

Why others violently disagree?

  • New technologies that use the Internet and whatever other future networks will come out, some say at an increasing pace, and thus result in a dramatic increase in a number of “things to steal, break and abuse”
  • Overall increased connectivity will also enable new attacks and open new exposures, thus needed novel creative solutions
  • In general, new threats will always be there because there is no shortage of people who are both smart, creative and evil
  • Increased reliance on IT systems will strengthen the resolve of cyber-criminals and all sorts of other bad guys to “go cyber” instead of committing “normal” crimes (“…since that is where the money is”)
  • New uses of old technologies – networked fridge anyone? – will also open holes and exposure in the areas where none mattered before (SCADA security is one fine example)
  • Economics always favors fast product delivery and thus lowers the quality of released current and future software; even though it might be devoid of obvious and easily found flaws, it will still be exploitable
  • Increased regulatory pressure will sometime create the need for either new uses of security technologies or even motivate people to create entirely new security technologies (scalable log retention for compliance comes to mind)
Did I miss any here? Feel free to comment or email me and I will update this list as well.

In addition, some folks aggressively attack the pro arguments instead of coming with their own cons. Specifically they claim:

  • OS and other infrastructure vendors will always lag behind, since, by the very nature of being large established companies, they cannot respond to the “fast lane” rate of threat change
  • IT users will not learn and in fact will become worse, since the overall population is getting dumber (note that I am not sure I agree with this one…)
  • Software developers will also not learn from the mistakes and, in fact, will repeat them, since economics seems to favor bad software quality
Let’s step back and try to come up with – no, not the compromise, that’d be silly ( – the conclusion. Here is what I think the answer is.

Certainly, there will be consolidation in the security market and defenses will get embedded in both operating systems and network gear, eliminating some of the standalone network and system defense solutions. It is also likely that some types of bugs will be eliminated, if not by the good will of developers, but by the changes in the commonly used programming languages.

But, on the other hand, the explosive combination of the march of ever-more-critical new connectivity technologies with the presence of dedicated evildoers will, in my opinion, guarantee that information security will remain relevant, vital and fun for years to come! Security technology innovation will not dry out any time soon

Dr Anton Chuvakin, GCIA, GCIH, GCFA is a recognized security expert and book author. A frequent conference speaker, he also participates in various security industry initiatives and standard organizations. He is an author of a book "Security Warrior" and a contributor to "Know Your Enemy II", "Information Security Management Handbook" and the upcoming "Hacker's Challenge 3". He also published numerous papers on a broad range of security subjects. In his spare time he maintains his security portal and two blogs.

No comments:

Dr Anton Chuvakin