Bruce Schneier: Web Attackers Are Trouncing Defenders

Cyber defenders are currently fighting a losing battle against hackers and government agencies, according to security expert Bruce Schneier.

Speaking in London on Thursday, the security guru said that with cyber criminals' attacks increasing in sophistication all the time, incidents like the Target credit card theft will only become more common.

"Security is a battle of attack versus defence and right now on the internet attack is much easier than defence," he said at the Good Exchange event, attended by V3.

Schneier pointed to advanced persistent threats (APT) as an area where organisations are woefully ill-prepared to prevent attacks.

"We are not winning against APTs," he warned. "We are terrible at defending against them."

Schneier said those launching APTs are usually highly skilled and determined, adding that there is often little companies can do to stop them.

"An APT is a different sort of animal. In the security industry it's often about relative security. If your security is better than those around you the criminal will target your rival that is less secure," he said.

"Against an APT, though, that's not true so security has to be absolute. What matters is not if you are better than them [another company] but if you are better than the attacker."

Further exacerbating the security threats facing companies are market trends that are taking more control away from IT teams as both data and devices are outsourced.

"It used to be that our data was in our computers and that was it. Now our email is in one hoster, our photos in another, our documents in another. Sometimes this is one company, like Google, or Apple or Microsoft, or maybe half a dozen, but it's in third-party hands," Schneier explained.

"Meanwhile we are losing control of devices. It used to be we bought computers that we controlled absolutely. Now the vendor maintains the control, it controls what software updates are available and what you can download.

"There is no iPhone software on my iPhone that Apple didn't already approve."

Schneier offered some advice to organisations on how to minimise the threats they face, saying they should focus on two areas: trust and resilience.

"You have to be able to figure out how to trust all of your hardware and software vendors. They cannot technically provide you with that, but you have to figure out who you know, who you trust; which governments, which corporations, which regulatory environment," he said.

"In this world of attack versus defence you have to think about resilience. Resilience if there is a bug in the products you use, if the legal landscape changes, if you are attacked and need to recover."

Schneier added that resilience in the providers you use was also crucial, citing the recent closure of TrueCrypt as a warning that security vendors can go under and leave their users exposed.

Categories: Articles, Text

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.