Criminal Hackers Gaining Advantage
But protection remains a hard sell with many companies, says security expert
By David Finlayson
November 6, 2007
EDMONTON - Technology's becoming so fast and complex it's outstripping our ability to keep out hackers and criminals, computer security guru Bruce Schneier said Monday.
"Complexity is the worst enemy of security," Schneier told the Canadian Information Processing Society (CIPS) conference Monday. "It's getting worse faster than security is getting better, and we have no idea how to fix this."
The hacker hobbyists of 10 years ago have been replaced by sophisticated criminals who can get into your computer or server without you knowing about it, said Schneier, whose latest book is Beyond Fear: Thinking Sensibly About Security in an Uncertain World.
They can send a worm into your system just to assess your vulnerability to an attack. Schneier came across one worm recently that was so sophisticated it couldn't be taken down.
"All you can do is find the people responsible and close it down manually."
It doesn't matter how many forms of authentication you use, they can get in, as illustrated by the number of credit card numbers being stolen, he said.
Attempts to solve the problem have come up with only "crummy" solutions so far. They can protect you from the bad guys or protect the bad guys from you but they can't do both, he said.
Yet Internet security continues to be a hard sell because companies often wrongly assess the risk, Schneier said. It's difficult to put a price on it so they make tradeoffs, and security failures occur when they get the tradeoffs wrong.
It's also more difficult to assess the value of today's IT security products, Schneier said.
Ten years ago there were four or five in the market, now there are dozens, and price is no indication of quality, he said. "IT is spending a lot of money that's not improving security."
Some of the biggest improvements have come from government regulations forcing companies to make more disclosures to their customers, and make their data safer, Schneier said.
Credit card and ATM security improved in the U.S. when the onus was put on the companies to be responsible for money lost through fraud. In the U.K, the courts ruled customers had to prove they were not at fault, and so security did not improve. The U.K. has since reversed that stand.
"This is going to be a much bigger trend in future years as governments get more involved."
Photo of Bruce Schneier by Per Ervland.
Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..