Thursday, January 17, 2008

Luck-based Security?

Fun quote from this interview with Art Coviello of RSA: "Coviello: But I can tell you that every retail customer I went into, and I say, Why hasn't this [TJX-scale breach] happened to you? They say, Luck. All these systems were built prior to the Internet and they get connected to the Internet and then all of a sudden everyone's a schmuck."

It is a very useful reminder that a lot of our "security" is luck-based: in other words, you are not 0wned 'cause nobody got around to hacking you yet :-)


Anonymous said...

>It is a very useful reminder that a lot >of our "security" is luck-based: in other >words, you are not 0wned 'cause nobody >got around to hacking you yet :-)

Or you just haven't figured out that they hacked you.

Anton Chuvakin said...

That IS very true: luck-based security = you are either owned and don't know it OR you are lucky to not be owned yet! Perrrrfect :-)

Anonymous said...

I'm reminded of Goldwyn's remark,"the harder I work, the luckier I get."

Luck has little to do with it. Preparation has everything. And those companies which aren't preparing are simply waiting for their luck to run out.

Moving the paradigm toward data-centric security may make more sense, even as you continue to patrol the perimeter; assuming that you're unlucky, and someone hacks don't want them subsequently having unfettered access to all the information contained on the network.

Ideally, the data should be protected in such a way that it cannot be read by anyone who doesn't have permission to do so, regardless of where it resides.

Anton Chuvakin said...

>"the harder I work, the luckier I

That is EXACTLY my point: or, rather, "the more I work on security, the more I hate those who don't do ANY work, but are still not hacked" :-)

What protects them is "luck-based" security.

Think people with Oracle databases unpatched since 1994. Think people with open wireless access to credit card transaction servers. Think telnet users.

Steve said...

Better yet, think of those folks who blithely throw unencrypted tapes in the back of a truck or car, and simply trust that the tapes will make it to their final destination.

At some point, some class action lawyer is going to realize what a goldmine he could be sitting on with a case like this...and that, in itself, should scare companies into looking at other steps they should be taking.

Unless, of course, they've already figured in the cost of settling such a lawsuit as part of the cost of doing business. Which would NEVER happen, right?

Anton Chuvakin said...

>Unless, of course, they've already
>figured in the cost of settling such
> a lawsuit

Well, this is sadly getting more a common and WE are the ones to blame :-)


'Cause the cost/benefits of such choice (getting sued) is actually easier to quantify compared to a typical security solution ...

Dr Anton Chuvakin