Rake Narang: What are some of the most common but critical mistakes still happening in IT security?
Eugene H. Spafford: There is too much attention focused on the perimeter, and keeping “things” from getting in. However, there is no real perimeter anymore with portable systems, thumbdrives, networked cell phones, and the like, and thus the defensive posture is faulty.
Everything is put online and networked, and this is a mistake because it makes everything potentially accessible and vulnerable to attack. Along with this, everything is put on common platforms to make it cheaper and simpler to manage – and often sharing the same vulnerabilities.
There is no overall plan for security based on risk and sensitivity. Not everything needs to be protected the same way or at the same level of intensity; defenses should be focused where the need (and potential loss) are greatest.
Rake Narang: Why does the overall security landscape appear to be getting worse instead of better?
Eugene H. Spafford: There are many reasons, but I’ll list three.
First, we continue to deploy badly-designed and poorly protected systems, using add-ons and patches as an attempt to provide protection. In large part this is dictated by the market, but that in turn has been driven by decisions to obtain and operate systems on the basis of acquisition cost or compatibility with legacy applications rather than based on quality and security. These systems are growing more complex and widely deployed for critical purposes, and the poor design decisions are thus increasingly exposed.
Second, the number of people connected to the Internet is growing, and that growth is international in scope. We are not seeing a corresponding growth in law enforcement personnel and tools to address cyber offenses. Thus, there is little disincentive for any of these many users to keep them from behaving in unethical or criminal manners.
Third, many organizations are simply writing off the losses and building them into their cost of operations. There are thus reduced (or no) incentives for them to change their behavior or employ better technologies. The losses are also generally hidden from the larger community, and so there is no external pressure, either.
Taken together, we have a situation where the victims are unwilling to invest to improve their security, there is an increasing supply of emboldened attackers, and the direct costs of failure are spread over a larger population thus hiding their magnitude. It is no surprise that the situation is not improving.