Do you have the nagging feeling we are losing the war for digital security?
Billions have been spent. We thought we would develop secure protocols and that would be that. Instead, digital threats have proliferated at least as fast as digital “solutions”. We’ve added more and more defences, bloating our software, weighing down devices, sapping budgets, and hindering innovations.
Most enterprises just copy what other enterprises are doing rather than taking a hard look at it for themselves. This predictability is vulnerability in itself: when everyone adopts the same strategies, every loophole acquires massive potential for exploitation.
While endpoint security management (available from companies like promisec.com) is essential if only to comply with tighter government regulations, it remains true that security issues are addressed post-deployment, instead of in the design stage. Consequently, there are a thousand patches for a thousand risks when better decisions at an earlier stage might prevent them.
Cisco reported that the frequency of cyberattacks had increased dramatically, in complexity and size over the past year, suggesting the economics of hacking had turned a corner. There is a useful range of low-cost resources that are benefitting the hacking community of today.
We now know that many of those resources were leaks from our own security services, but this merely underlines the point: nowhere is safe, not even GCHQ or the NSA.
The massive Equifax breach occurred shortly after a warning about the vulnerability (in Apache Struts) was sent to the company by Homeland Security. The vulnerability had existed for nine years, so clearly the warning itself triggered the attack, as is often the case, underlining the way our solutions are entwined with the problem.
Secrecy has Failed
Hackers seem able to share strategies in a way defenders seem unable or unwilling to do. Responses take the form of proprietary products based on rival approaches; brands of security incident event management, flavours of identity and access management, and bargain assortments of firewalls and sandboxes. The software they protect often piggybacks on code the developer is not even entitled to examine.
If secrecy has failed, why not try transparency? Cloud collaboration, based on open-source version control like SVN (Apache Subversion), provide an opportunity to thoroughly scrutinise source-code and firmware from the outset, finally making data insecurity a thing of the past.