'Treat infosec fails like plane crashes' – but hopefully with less death and twisted metal
We never learn from incidents, says Europol security adviser
The world has never been so dependent on computers, networks and software so ensuring the security and availability of those systems is critical.
Despite this, major security events resulting in loss of data, services, or financial loss are becoming increasingly commonplace.
Brian Honan, founder and head of Ireland's first CSIRT and special adviser on internet security to Europol, argued that failures in cybersecurity should be viewed as an opportunity to learn lessons and prevent them happening again.
He made the remarks during a keynote presentation at the #IRISSCERT conference in Dublin on Thursday.
He used commercial airlines as an analogy. Fatal accidents per one million flights have decreased from four in 1978 to less than one in 2016. A similar, more disciplined approach has the potential to push down infosec failures too.
We need to learn from incidents rather than making the same mistakes, Honan said, adding that victim blaming – commonplace in infosec – isn't helpful. In addition, cybercrime ought to be reported to the police. A business wouldn't hesitate to report that someone had broken into its office but they won't report malware – an attitude Honan said needs to change.
Sean Sullivan, a security advisor at F-Secure, made a similar point in a different context to El Reg earlier this week. "People aren't learning from each other when they get hacked," he said.
No postmortem was carried out following the iPhone SDK hack in February 2013. This attack was blocked by Facebook and other targets but hackers were able to use the same techniques of abusing Java in the browser to successfully attack Sony Pictures Entertainment years later. ®