Manage updates with the Download App
August 14, 2006 4:00 AM PDT
Perspective: Why Internet security continues to fail
See all Perspectives
Indeed, free-market financial interests and an unhealthy complacency by vendors and customers alike continue to overpower sound security logic and practices. Even though many companies conduct cutting-edge research into technological security measures, the IT world continues to endorse a technology-centric approach to information protection. This has created a security planning problem for information-based organizations.
Customers forget that the technologies of protection are only as reliable and resilient as the underlying infrastructures they want to protect. Failing to acknowledge or fix an infrastructure plagued with problems raises many doubts about any security product's ability to function in such a foundation. Placing more complexity on top of existing (and flawed) complexity does not lead to increased protection, but rather, fosters a false sense of increased protection.
While helping to define the software industry, software licensing provisions shield vendors from legal and fiduciary responsibility for problems arising from their products. They also offer corporate protection rarely found in other industries. The technology industry apparently is the only business engaged in regular commerce that's immunized against gross negligence in the design or manufacture of its products.
Yet tolerating and implementing "good enough" products from unaccountable vendors is the accepted norm--and any resulting loss incurred by customers is deemed the price of doing business in the Information Age. How such practices contribute to stronger Internet security remains unclear.
Concerns about protecting information helped establish several security evaluation criteria in recent years. From HIPPA and FIMSA to SOX and GISRA, nothing signifies a successful information protection program today better than publicly trumpeting compliance with any of these government auditing and certification standards.
But if these standards are considered minimal requirements for security success, why are few--if any--security chiefs fired when their programs fail to stand up to challenge? (The current penalty for such failures seems to be little more than rhetorical admonitions to "do better next time"--as evidenced regularly during the annual Federal Computer Security Report Card evaluations.)
Today's technology procurement cycle requires customers to upgrade their products and remain current with their vendors' supported product lines (and revenue goals) by routinely replacing one "good enough" product with another one of equal standing. The new features may neither be needed nor required. At that point, like it or not, customers run up against unfamiliar products and potentially significant and unknown costs to their networks and organizations.
Customers must reverse this practice by upgrading when they--not their vendors--deem it necessary. By doing so, they can also terminate their roles as unsuspecting beta testers for allegedly completed products and shake off a dependency relationship that's more akin to the psychological condition known as Stockholm Syndrome than to sound business practice. The time to test software is before, not after, customer deployment.
The current state of insecurity clearly is not acceptable, and customers should be demanding serious improvements. But if real change is to occur, we need to look beyond technology innovations before effective security benefits can be realized. What we know now is that the major obstacle to significant progress toward sound information security is cultural, not technical.
Biography
Richard Forno is a principal consultant for KRvW Associates, a Washington D.C.-area security consultancy. The views expressed in this article are his own.
See more CNET content tagged:
insecurity, complexity, Internet security, vendor, practice
14 comments
Join the conversation! Add your comment
> (and flawed) complexity does not lead to
> increased protection, but rather, fosters
> a false sense of increased protection.
It was already beaten to death on forums - C|Net ones included.
Please please please please mark you article as Windows-only since described problems are solely Windows specific, with its barbaric state of second/third party software development.
The Linux and BSD systems have all passed through that infant age when "more" considered is "better". Windows with its backward-compatibility mantras is not yet there.
Internet Security and Privacy can only be acheived though a BS in Computer Sciences or
Internet Security and Privacy can only be acheived though a BS in Computer Sciences or
People want spam blockers because of all the junk mail, but they flip if one valid e-mail gets filtered out. I know it's a very different situation technically for internet security, but the analogy is fairly straight forward.
If you try and change the groundwork as the article discusses (because the underlying problems can't just be masked and covered up), you are looking at restricting those unwilling to upgrade. Most of this is cause of cost, and who is supposed to pay for it? If the software companies have been allowed to have the attitude they have had up until now, they we have accepted their software as is, we can't demand that they provide the changes for free. Basically you'd have to start a second internet in terms of everything from protocol to browser.
Bottom line is that we set the bar for standards low at the beginning because we just wanted the service, and figured we'd worry about the details later, but in doing so, we've shot ourselves in the foot. It would have been cheaper if the problems were fixed in the beginning. Pay more for the first service, but you wouldn't need to pay for the other services that protect you from the things that weren't considered in the first place.
Windows would be an example, so would Adobe or Linux or any other software developer working with the current Industry licencing practice.
That these software flaws can and do lead to personal and corporate system crashes or loss of data via the internet puts the emphasis on that mysterious entity THE INTERNET. And absolves the software manufacturers because it is stated in the licence which you had to agree to, that the use of the software and any losses or damage due to that use is on your head alone.
Like GM or Ford saying, buy our vehicles, But if you drive them or take them out onto that ill defined "HIGHWAY"...well, that's not our thing and your on your own. You'll find all this in your licence, happy traveling.
I think the writer has a valid point and I'm willing to take it a step further by adding that the licencing practice while isolates the manufacturer from any culpability shifts the "blame" and further demonizes "the Internet" as this ungodly place where who knows what can or will happen. And that the government must step in to regulate the internet and protect the innocent including those poor software manufacturers. Ya gotta love lawyers.
Consider a banking system which allows you to login to their website and say, lets you view your balance. Till few (actually a lot) years back, you would go to a bank with your id, and ask for this info. On id verification, you would be given the information. Now the bank gives you a user name and a password and lets you view it yourself. In the process following things are done:
1. Id verification using user name and password.
2. Restricting access, as only authorised user can access his own details.
3. Storing the data only in bank's own system, which can be accessed only by authorised users.
4. Restricting type of users, only you and authorised bank employee can view the info
5. Save on the costs of manually giving info
If bank kept all this data on every users computer, it will not be secure. Also, if bank did not manage who all can be the users and types of users, still there will be loopholes in the system. If the bank gave this information in unsecured way(e.g. not encrypted), it will not be secure. Lastly, if the user downloads the date and stores on a public computer, it will not be secure.
We need a similar system that manages the personal information of people. It can be a private company or government organisation which manages the data, stores only at in one computerised system (with proper backup) and provides it to "only" authorised parties, which are only the users themselves and the IRS. Nobody else should get this data.
For transacting business - payments etc, it will work similar to Google checkout. In google checkout, you register your credit card account info with google. Then you just provide your google account details on various websites while buying or selling. The websites interact with google servers and actual personal data is never passed on to them.
www.trustedcomputinggroup.org
You spend all your time stopping unwanted traffic and trying to find destinations and push packets to destinations.
Lets kick a sacred cow and put the blame where it belongs. Problems that exist can only highlight the poor foundation. Every time look at the root cause, not the apparent cause.
We now have enough history of problems to do a real redisign and I don't just mean increasing the number of addresses, IPV6 is such a crock, it is defining new, bigger limitations. Who got a PHD for coming up with that.
How do we start again and roll out something that really works. Throw out the bath water.
It's a bit like throwing out MS Windows and using a real operating system because the underlying problems will never be fixed.
They would then have an in to control the internet similar to the OS control they have on PCs.
This seems to be the direction they are going. I think with their product activation and other policies, if the Internet is then brought down, all they have to do is say we need to be able to do an new version TCP/IP.
Then with the new Microsoft TCP/IP in place they would have the control as well as liscensing fees that even FreeBSD and Linux would have to pay.
If you look at things like Java and Microsoft's Java you can see how this would work. If Microsoft will do that to another companies product time and time again, imagine what they would do with an public or OpenSource system.
I don't want Microsoft involved in public, OpenSource and other operating systems. If they do it will leave us forced to use thier products again.
Just look at the open document debate. Microsoft on one side and everyone else on the other and yet we forced to use Microsoft. If a third party could do an add on to Office to expand the shareing to other Office versions it would be great. By Microsoft doing it instead it not just forces us all to use thier format but also to pay the toll bridge.
In this regard, NetAlter is redefining security standards for its own alternative to the Internet by making the basic foundations of its network highly secured in implementing innovative securit
y structures and technology.
For example, they are offering to end users Universal Authentifcation integrated with their browser. Unlike present browser technology, the NetAlter browser does not store user information in the form of client or server side cookies and thus denying access to the personal information.
The second aspect is that the NetAlter browser will run only those applications which are digitally secured. This denies execution of any malicious or hijack code or scripts within its framework.
The transfer of data is also done in a secured encrypted format with origin and destination keys embedded that makes the data virtually unaccessible if downloaded to a different destination.
This is a very innovative step indeed.
It has everything to do with a lobbying group trying to establish legislation that will make software companies accountable to security incidents such that they have to pay money, lot's of money.
Automobiles have glass windows. It's easy to bypass the security mechanisms of an automobile by breaking the window. Yet, you can't sue your automobile manufacturer if your car is broken into.
Your house has glass windows. If a criminal breaks your windows and enters your home, you can't sue the real estate company, or your mortgage company, nor the window manufacturer.
How about guns? People have tried -- and failed -- to hold gun manufacturers responsible for criminal use of guns.
Richard Forno is wrong when he suggests the technology industry is alone with it's immunity from accountable for security flaws, for the reasons I gave above.
Richard Forno is a lobbyist trying to bring about legislation such that he and his buddies can SUE SUE SUE Microsoft and their big fat profits whenever a script kiddie does something minor and inconsequetial to someone's website. The term "holding software companies accountable" means, "I want a peice of their big profits."