Resignation And Retreat

Security Notes

When we detect air pollution, is the treatment of asthma our first line of defense? When our water supply is contaminated, is it our best answer to boil our water? It is difficult to keep our air and water clean, but that’s our strategic aim, meeting the threat at the place of origination. And as we move further into cyberspace, we can add data to the list, and insist on “Clean Air, Clean Water, Clean Data!”

Unfortunately the psychological impact of the Target breach, and later that of Home Depot, have bred a sense of resignation.

Check the business data. Who is growing? The answer: The aftermath industry, also known as credit monitoring. The message: your payment card is in the hands of the hackers, that’s a given. They will use it when they get around to it, and when they do, we will let you know. And the public signs up. The credit-monitoring industry was established to help banks manage the risk of credit extension, but quite recently this huge industry has turned to fraud-detection services—detection, not prevention!

See, for example, the new collaboration between Experian and BillGuard. BillGuard signs up customers who want to be alerted to suspicious line items on their monthly credit card statement. Their statistics on how many bad charges are out there are utterly alarming.

The TV newsmagazine “60 Minutes” recently aired a segment that should have created a public firestorm. In it, financial executives expressed, matter-of-factly, their attitude of resignation to the wave of fraud and theft they expected during the holiday season. The percentage of U.S. companies that fall prey to hackers was competently stated to be 97%. Stop and think about that: Virtually every business in America has been penetrated. And the public is simply digesting this as a given fact of life.

This reality may explain why Target and Home Depot haven’t suffered as much lost business as you would expect. The consumer reckons that their competitors are probably just as penetrated, as compromised, but not yet in the news for it.

When you find a security hole, the first response is to patch it. But if we stop there, we become a sitting duck for the next attack. We need to ask ourselves what was the security rationale that built the security shield with the hole in it.

Was the hole identified but ignored because tackling it was too expensive and a deadline was looming? Then retrain your management. Or was it because nobody on the security team had the imagination to foresee this hole? Then retrain your security professionals. Taking all the former holes as a group, what lessons can be learned to pre-plug yet uncovered holes?

We need fearless leaders who will name the culprit, whoever it is, and design a campaign broad and deep. In recent years I have noticed two words are trumpeted in every techie speech: innovation and security. The fog of hype is diminishing both.

The National Security Agency, in an official document from 2012 addressing the avalanche of security breaches, stated: “An emerging view is that these problems demonstrate that we do not yet have a good understanding of the fundamental science of security. Instead of fundamental science, most system security work has focused on developing ad hoc defense mechanisms and applying variations of the ‘attack and patch’ strategy that emerged in the earliest days of computer security.” White House sentiments in 2012 were similar.

But in 2014 the winds changed. Typically, when we do attack scenarios with a client, the most damaging scenarios are excluded without any justification except for the cost and effort to defend against them. After testing his helmet by swinging his sword, Don Quixote decided to patch the helmet, but was careful not to test it again, because it was too difficult to put it back together.

Alas, the more we retreat, the bolder and the more brazen the attackers become. Think of what havoc will spread throughout the land if a sufficient number of banks and merchants are simultaneously compromised. For so many of our enemies, this scenario is their only way to hit us hard. You bet they are going for it, and it may be that Target, Home Depot, JPMorgan, and Citibank are just our adversaries’ proving grounds.

Let 2015 be the year with a modern-day J. Robert Oppenheimer, and a modern-day Manhattan Project, to defeat this determined enemy.

Gideon Samid • Gideon@BitMint.com