It used to be difficult to discuss security within an organisation, terms like Phishing needed explanation, Denial of Service was when the local garage couldn’t change the oil in your car, and forget about Botnets. However over the years, and at an accelerated pace it has become easier for us security professionals to communicate types of risks and vulnerabilities – why? Because they are now part of our everyday lives, and when they become normal they don’t require explaining, they are familiar.
We all consume services that often today carry the same fundamental weaknesses as they did ten years ago. Can an attacker steal your password today? Yes. Can an adversary take down your preferred social channel? More than likely.
Agreed that improvements have been made, security has been bolstered to attempt to make successful attacks that much more difficult, but let’s not forget the opposition, those hackers, hacktivists, state sponsored military led attackers have also matured in leaps and bounds. The progression on both sides almost equal each other out. Good against bad, right against wrong, it’s a stalemate position right now and there doesn’t seem to be an end in sight.
“So Nick, what are the options, what do you suggest?”. One thing is for sure, we cannot stop, we must collectively continue to invest in all areas of security, to improve on what we have today and protect against what we sense may be the attacks of tomorrow; to do anything else would be almost negligent. But what we really need is a change to break this cycle. The hamster wheel will always spin when there is a hamster running on it.
Can we rely on technology when technologies can always be broken, after all if a human put it together, a human can pull it apart. As an example, there are a lot of companies in the security world hedging their bets on Blockchain as a silver bullet to some of our security problems, with practical uses being debated in R&D labs. Fighting technology with technology – is that what we are doing?
However, I do believe that we are closer to solving some of the problems we face such as Phishing. Changes to how we manage ‘identity’ and ‘access’, getting rid of passwords where possible, that ball is already rolling and gathering speed. But that’s just one example and there are many others where the ball isn’t rolling, it’s as good as stuck.
Once again it all comes back to people, to be vigilant, to understand the risks, to remain informed, to be responsible, to identify when something isn’t quite right. And until there is a breakthrough in the fundamental way we technically protect, such as a re-engineering or security overlay to the Internet, new attacks will be born and gifted a name, which at first will require explanation until they are simply weaved into the fabric of our everyday lives.