Michael Healey: Pay Attention (Piling On)
Richard Bejtlich has a post responding to an InformationWeek article written by Michael Healey, ostensibly about end user security. Richard upbraids Michael for writing the following:
Too many IT teams think of security as their trump card to stop any discussion of emerging tech deemed too risky…
Are we really less secure than we were 10 years ago? Probably not…
…security folks are so jumpy. But they’re missing the message that CIOs need to hear: Security is working. It’s been more than a decade (yes, 10 years) since any particular security flaw has had a truly widespread impact. The Melissa and the ILoveYou attacks were the last.
Now Richard dresses down Mike regarding his naivete’ about the threat landscape. Using Melissa and ILoveYou as examples of aggregate risk to Internet participation is of course, silly. But the lesson doesn’t stop there. Michael,even if your organization hasn’t had a recent, significant breach – there’s very little evidence to suggest that this is because “it’s working”. It could very well be “good luck” based on a lack of frequency (in threat actions). Think of it this way, while I’m sure there are parts of Oklahoma that haven’t been hit by a Tornado in recorded history, that doesn’t mean that I’d move into a mobile home there.
Let me also pile on by mentioning that the Verizon DBIR data set shows a significant uptick in the use of custom malware by threat agents (you know, the kind designed to evade signature based defenses) in data breaches.
Speaking of which, let me share with you a few thoughts on impact and loss. In the past four years, we can account for nearly a billion records (credit cards and other PII) known to be compromised. And that’s *just* the Verizon/Secret Service data. You could probably increase that number by 12 figures by including data at risk and lost from the DLDB. Being a journalist, I’m sure you’ll recall that here in the US have had significant IP and military secret losses, as well.
Finally Mike, there’s the problem of trying to keep up with the threat landscape. Take Gunnar’s excellent table around web security as an example:
Do we really need to say anymore?