At this year’s Infosecurity Europe I had the great honour of being inducted into the Infosecurity Europe Hall of Fame, joining such giants as Whitfield Diffie, Phil Zimmerman, Howard Schmidt, and other industry luminaries. Events like this encourage reflection; they make you contemplate your career and the state of the industry.
One of the obvious questions when reflecting is, ‘What are the biggest unsolved security challenges, now and for the future?’ It is hard to boil it down to a single problem, especially considering how many issues come from repeatedly making the same mistakes over and over, but there are some which have to be on the shortlist. The easy answer is ‘people’, but that’s not really helpful. I think there are more informative answers.
What, then, is the biggest challenge we face now? There are so many contenders: lack of timely and meaningful information sharing; increasing attacker skills; a lack of resources; and, of course, the skills shortage. Note that I use the phrase ‘skills shortage’ rather than ‘talent shortage’. There are a lot of talented people with tech and security experience who need work, but they lack the currently in-demand skills.
If I have to pick a single greatest unsolved security challenge, I’ll go with one almost as broad as ‘people’, and that is ‘usability’. Users avoid or bypass systems which get in their way, and don’t use security tools that are hard to use. Administrators misconfigure systems which aren’t easy to configure properly, and they ignore systems which are frustrating to update. Security pros struggle with tools and systems which are difficult or tedious to use, wasting precious time and effort.
This is an old problem. The 1970 Ware Report told us: “User convenience is an important aspect of achieving security control because it determines whether or not users tend to find ways to get around, ignore, or subvert controls.” Almost 50 years later we still struggle to make it easy to do the right thing.
One of my recent frustrations is websites that don’t allow copy and paste in form and login fields to ‘enhance security’, meanwhile defeating password managers and encouraging people to use simpler passwords. There are too many examples to list. I’m sure you can immediately think of several frustrations you’ve seen and battled in your career.
One of the biggest challenges I see looming in the near future is also an old one which is getting worse: the challenge of unmanaged devices. It isn’t a new problem, but between ad-hoc cloud and virtual instances, mobile devices, and the looming explosion of internet of things devices connected to our networks and the internet, I fear that we will have an even harder time keeping up with what’s in our environments and keeping everything secure.
Two of the growing challenges of unmanaged devices are their use in botnets and for DDoS amplification attacks. We struggle to keep our managed systems free of infection and properly configured, but unmanaged systems are left to fend for themselves and rarely are capable of it. In the case of DDoS amplification attacks we’ve seen a dramatic reduction in the amount of reflected DNS and NTP traffic, but those are systems generally managed by professionals so when the problems became obvious there were people to resolve them.
In the case of consumer equipment and IoT devices, no one is managing Universal Plug-and-Play (UPnP). As a result we are seeing growing use of SSDP (UPnP’s discovery protocol) for reflection attacks and no one is addressing it. The long term fix is for manufacturers to consider security in the design and deployment of IoT, but I do not expect much progress there. I believe we will be left with monitoring and filtering traffic to control the unintended consequences of an explosion of unmanaged devices in the wild.
In spite of the challenges, we do have the attention of the world and we have an opportunity to improve awareness and security. We need to seize the opportunities when we see them or the same challenges will still haunt us in coming decades.
For those new to security, do not be discouraged by these challenges. If you use lessons from the past as a foundation for advancing your career, not as an anchor for preventing progress, you will help us all move forward.