Standalone security industry dying, says guru
Schneier sounds death knell for Infosec
Security guru Bruce Schneier has renewed his attack on the IT security industry. A record number of attendees is visiting this week's Infosecurity trade show in London but nobody is buying anything, according to Schneier.
"Buyers don't understand what is being sold. That's why the security industry as a standalone entity is dying," Schneier told El Reg. "It's only because the stuff you buy sucks so bad that the information security industry exists in the first place," he added.
Schneier feels ennui for Infosec.
Schneier compared the information security industry to the car market. Consumers don't buy anti-lock brakes as a separate product. Similarly, information security should be built into products rather than being sold separately, Schneier argued.
He reckons that as the IT security industry matures there will be a greater demand from customers that products and services simply work, a trend mirrored in the growing use of outsourcing.
"Telcos and OEMs should become the only customers for security products. That way you'd have smarter buyers," he explained.
Schneier has touched on this theme before, most recently in a blog posting on the recent RSA Security conference. More of his latest thoughts on the subject can be found here. ®
So what stand was Schneier on?
Oh, it was the BT stand right? The one where they are trying to sell HUGE amounts of managed services to corporates? The company that purchased Counter Pane, the company which Brucey used to sell HUGE amounts of managed services to corporates... and we are SUPRISED that he says that people should buy these services from ISPs and Telcos?
Yeah... thought not.
PARIS because in this case, she probably has much more of a clue...
banks and security
"YES you do upgrade a banks security all the time. The technology for access, monitoring systems procedures. The fact of the matter is that not enough people are constantly overcomming car security in a way that challenges the developers to upgrade their security"
Banks and IT security? Bad example - unfortunately for customers and also share holders I would say - banks do have a bad history when it comes to IT project and system security. And even more sadly - this does not look as if it is changing. Traditionally the systems developed have been developed with minimum security in mind. I would go so far that some systems I have seen have been utterly developed WITHOUT security in mind. Ignorance seems to be bliss in the banking sector. If you believe marketing talk - yes they are 'updating their security all the time' (where on earth did you get that reassuringly overconfident spin?). Are these the same banks being referred to who still today cannot create an overview of a customers complete relationship and transactions with themselves? (hint - lookup 'Basel' and banking).
Sorry banks are infamous in the IT security world for not doing their homework and for actively refusing to invest in IT security (cost saving). They do not generally speaking invest in IT security unless they are forced to (and then as little as they can get away with accompanied by spin) - they do however invest in strategies designed historically to push any inconvenient costs and blame on all other actors and stakeholders.
Look at how credit card issues have been handled:
1. To redistribute responsibility by talking about security issues by focusing on E-crimes with government and police.
2. To redistribute responsibility by changing the fineprint in contracts with consumers and also to change the name of transactions (see latest UK development in the way the banking sector is trying to re-define Credit Card payments to 'cash advances' (?) rather then to sort out their security issues).
3. If there is a risk that police investigations into security issues may point to embarassing security holes in their own processes and systems see to it that those investigations are moved in house and not registered as issues outside (Credit Card fraud investigations anyone?).
Yes banks do a lot (of money) - but IT security is something that they do as a result of being dragged kicking and screaming into the civilised society. Unfortunately for us in the UK - there is very little 'dragging' going on at the moment.
"thats all very well in theory but there aren't billions of groups out there dedicated to the exploiting and overcoming of car security... you don't have millions upon billions of ways of exploiting cars like you do with computers. with code on the computer side of things there are millions of people out there that are constantly attacking and poking holes and they do get in..."
Billions? which planet are you living on? Never mind the number let just assume that this is meant to suggest that there are a significant large number of people trying to poke holes to get in to IT system. Also it seems fair to assume that the suggestion is that there are fewer ways of exploiting cars etc...
Actually there are relatively few ways that can be used to poke holes into system. The problem is that there are many variations of those few ways. As new technologies develop more variations of 'old ways' show up. Very seldom does a security breach represent something completely new.
Historically the two most common causes for breaches are based either on social engineering or by drawing upon weaknesses in the technology. Some social engineering can be dealt with by 'education of the end-user' - but not all. The reason being that some approaches combine social engineering with perfectly valid processes of interaction where the user has no what so ever influence and must by definition act on trust. The IT community does not take its responsibility (E-Bay or Credit Card fraud anyone?). Most security issues and breaches do not seem to require much brut force or any superior intellect to succeed. Not many 'hackers' would exactly qualify to be the equals of the mythical 'rocket scientist'. The reasons for why many 'hackers' have become famous and described as 'geniouses' (without deserving that nomination) is not that all of them have been 'smart gurus' but that the systems they have broken into have been so ridiculously insecure. Often the system owner has been completely unaware of even basic insecurities of their systems. The creators of systems do not exactly bragg about their lack of attention to security.
There are many security issues that could have been avoided relatively easy if basic consideration had been taken into account at the design stage. Even worse - many security weaknesses are created by design. I think that end users have the right to expect that professional IT / IS designers should be more competent (in IT / IS security) when designing solutions than themselves.
I cannot justify approaches where IT specialists blame users for security problems and put the causes blatantly on users ignorance. To suggest that people should take responsibility for their IT security is only valid as an ideal proposition and only partly relevant because of the many very basic underlying security flaws in commonly applied architectural solutions. It would be as to suggest that the user should know about weaknesses that the designers of the system refuse to admit that they have introduced as part of the design - not a great idea I think.