Monday, July 25, 2011

Attacking Trends

Thanks to an energy infrastructure-focused former Navy officer (but not Mike Assante) for distributing a link to this article over the weekend. That's the way security folks are btw. The weeks often blend seamlessly into and through the weekends. And it's neither good nor bad that they do. It's just the way it is. And it's the way they are.

You'll find this piece to be part history review, part current situation update, and finally prognostication about where cyber attacks trend lines are pointing. Overall, there's a lot to like in this Freakonomics article, but here are the two para's that stood out the most for me.

The first comes from cyber security pundit and blogger Bruce Schneier. To the question of whether things are actually getting rougher out there or do they just seem that way, he concludes:
It’s not that things are getting worse; it’s that things were always this bad. To a lot of security professionals, the value of some of these groups is to graphically illustrate what we’ve been saying for years: organizations need to beef up their security against a wide variety of threats. But the recent news epidemic also illustrates how safe the Internet is. Because news articles are the only contact most of us have had with any of these attacks.
I like that last line of course. And then there's this from security researcher Tal Be’ery of security product company Imperva, who paces us quickly through the evolution of cyberspace and the increasing value of what we (and the bad ones) can find there:
Here’s where we reach a critical problem: companies are poised for the old cyber security model which was designed to keep the bad guys out. However, the same convenience that allowed individuals to access data from their living rooms meant hackers could too, say from a Starbucks, or a dorm room or Timbuktu. The old paradigm—keep them out—stopped working. Protecting the network, while still important, became secondary to protecting data. Few have recognized this evolution—except hackers. Today, of the $16 billion spent on security [cross sector], less than 10% goes to data protection.
I'd add application security to data security to cover not just the target, but the new primary attack vector. Network and system security, as the saying goes, are necessary, but these days, far from sufficient. 

You can read the full article HERE, and I recommend you do. There's a lot more to it.

No comments: