What remains unsolvable in security (Part 1)
Where is all the knowledge we lost with information? -T.S. Eliot
Thanksgiving is always a good time for us to think back and reflect on what we manage to accomplish this year. As a personal reflection, I have focused my effort on vulnerability coordination and responsible disclosure this year. I have also started to build an online presence by sharing my thoughts via these blog posts. As a wrap before the end of year, I want to talk about my experience working alongside with many bright minds on the topic of security this year.
In my opinion, we are far from done. Though I believe everyone needs to take a break once in a while to look back. For me, I like to ask myself- am I doing the right things to move us forward? I hope to share four observations over the next two blogs, to discuss what I constitute as the unsolvable problems in security today.
Observation #1: Vulnerability management remains the weakest link in security
Working in security is actually a good conversation starter. This is especially when my work in vulnerability coordination involves catchy terms like hackers, breaches, exploits, and stolen data. The work we do often ends up on the news. However, deep down we know there is nothing sexy about what we do. The root-cause often lies in unpatched systems. Think about the major data breaches this year. You will realize almost all of them are caused by delays in patching. Of course, we should not underestimate the complexity and risks to applying patches in an enterprise environment. With the amount of information (i.e. patches) floating around, many system administrators are overworked and many systems remain unpatched because of limited IT resources. In the end, it becomes a risk management exercise to weight the risk of not patching versus the risk of being hacked. This is the reality many organizations face, and is one of the unsolvable problems in security today.
Observation #2: The difference between knowing and caring
There is never a lack of information. Instead, we have too much information. We live in a connected world and it is almost too easy to learn about security. On the one hand, we must admit that our awareness effort has paid off. We have generated enough content to get the words out. However, there is a difference between knowing and caring. There is a difference between awareness and adoption. I may dare to suggest we perform well in raising awareness but fail on adoption. Many people are aware of what they were supposed to do, yet fail to react when the time comes. That is perhaps why we see a recurring pattern in social engineering or phishing attacks continuing to succeed.
Different security companies are coming up with better defense solutions to tackle users ‘careless’-ness. To be honest, we can’t really blame the users because a lot of security features today lack any kind of usability. I am sure you would have come across a security pop-up asks you a question fill with gibberish you are not familiar with (think firewall setting). However, the best of artificial intelligence would always lack behind human intelligence. At least, we have yet to develop a machine that will out-smart ourselves. Tackling human action (or inaction) remains very challenging and is another unsolvable problem in security today.