Apathy and Alchemy: When Good Enough Security is Good Enough
Despite the consistent heel nipping assertions that all I want to do is have people throw away their firewalls (I don’t,) I think Shrdlu nailed it with a comment posted on Lindstrom’s blog. I’ll get to that in a second. Here’s the setup.
Specifically, Pete maintains that Spaf’s comments (see here) are an indicator that security isn’t failing, rather we are — and by design. We’re simply choosing not to fix the things we ought to fix:
This is a simple one, from Dr. Eugene Spafford’s blog:
We know how to prevent many of our security problems β least privilege,
separation of privilege, minimization, type-safe languages, and the
like. We have over 40 years of experience and research about good
practice in building trustworthy software, but we arenβt using much of
it.So,
we have resources that are unallocated – we have time, money, and
bodies we could throw at the security problem. We have the know-how and
the tools to reduce the risk. And yet, we aren’t doing it.If security were "failing" there would be evidence of people either
giving up entirely and reducing their IT investments and resources, or
spending more money on success.
An interesting perspective and one I’m bound to agree with.
Here’s Shrdlu’s comment which I think really nails the reason I am going to continue to press the issue regardless; I think the general apathetic state of the security industry (as Pete suggests also) is the first obstacle to overcome:
Cherchez l’argent, mes amis. Mix in Spaf’s argument with Pete’s and
add Marcus and Bruce, and you’ve got the answer: people don’t think
security is failing enough to spend money doing something about it. The
externalities aren’t intolerable. The public isn’t up in arms; if
anything, security breaches have reached the same level of public
semi-awareness as bombing in Iraq — it happens every day, everyone
agrees how awful it is, and then they go back to their lattes.We’re not going to fire or retrain a generation of cheap programming
labor to Do the Right Thing and redesign systems. Not until it hurts
enough, and let’s face it, it doesn’t. All the FUD and hand-wringing is
within the security industry. We’re doing our jobs just well enough to
keep things from melting down, so why should anyone pay more attention
and money to something that’s mediocre but not a disaster?
There’s not a whole lot more that needs to be said to embellish or underscore that argument.
I’ll be over here waiting for the next "big thing" to hit and instead of fixing it, we’ll see SoX part Deux.
See, Shrdlu’s not the only one who can toss in a little French to sound sophisticated π
/Hoff
Hey, if you want to sound REALLY sophisticated, you need a quote in Russian — Oh Rybolov, where are you?? π
I'll wait along with you for the Next Big Thing, Hoff, and we can eat popcorn and watch. Whatever it is, the response is going to be whatever causes the least amount of economic pain, whether it makes sense to security purists or not.
Love the Apathy photo, btw π
Let's see, how about these: (sorry, I hate transliteration but the "normal" people are all about it.
"Kogda rak na gorjak visnyot.": When the crab on the mountain whistled. Meaning "thousands and thousands of years ago"
"Doveri no proveri": trust but verify (quote from Ronald Reagan but he mispronounced it–apparently elite Russian-speaking skills aren't a requirement for being a publicly-elected official.)
"Skol'lo raz ya tebye govorila nichego ne brat paltsami?": "How many times have I told you, don't eat with your fingers?" Note the feminine verb ending, obviously it's a mother talking to her children.
"Ya sam soglasen sto-pyatdesyat-sem c polovinoy protsentov.": "I myself am in agreement 157.5 percent."
"Ne pukha, ne pera": "No fluff, no feathers." Meaning: "good luck". Entirely non-sequitor to the rest of the world.
Or my personal favorite: "Volosi ryzhie, chelovek neschastlivije": "If the hairs are red, the person is unlucky"
Now having said all that, I do agree with the definition of "acceptable risk" by the business owners. Basically, yes, they are more willing to accept risk than the security people are. This is a theory I've had for a long, long time and I'm glad other people, especially people who I think are smart, agree with me at least somewhat.
Going on a step further, I also propose that the concept of "compliance" doesn't work exactly for this reason and that most risks today's security manager is going to encounter on a daily basis are more "audit risks" than "real risks". Yes, they're still real risks, but due to low rate of occurance, the threshold for acceptable risk is higher.
Just a quick clarification – I am not making a value judgement that people "ought" to fix things, I just wish they wanted to. It is important for us to recognize that this might be okay.
I do wonder whether this is more a failure of our profession than anything else, but more on tying this post to my previous "can security professionals make a difference" post in another, future post.
Pete
I just posted this to my tumble log with a link to this post:
Another great blog post.
Security engineering is like any other engineering — we spend enough to prevent (or easily recover from) expected risks. We can't protect against every risk, so we make some calculated risk management decisions.
What complicates the picture is that we don't have good risk models for IT (especially given the rate of change and churn); we don't have a functional liability component yet (if we ever do — think pressure from insurance companies); and we don't actually understand the scope and value of our total losses (how do we value loss of privacy, and who knows prescisely what is lost in economic espionage).
We aren't good at looking at things in the large, or else we'd realize that investment of a few hundred million $$ per year might save us (collectively) tens of billions. Instead, it is constant overhead, providing friction for innovation and commerce.