April 17, 2007

Our security sucks. Why can't we change? What's wrong with us?

Adam over at EC joined the fight against the disaster known as Internet Security and decided Choicepoint was his wagon. Mine was phishing, before it got boring.

What is interesting is that Adam has now taken on the meta-question of why we didn't do a better job. Readers here will sympathise. Read his essay about how the need for change is painful, both directly and broadly:

At a human level, change involves loss and and the new. When we lose something, we go through a process, which often includes of shock, anger, denial, bargaining and acceptance. The new often involves questions of trying to understand the new, understanding how we fit into it, if our skills and habits will adapt well or poorly, and if we will profit or lose from it.

Adam closes with a plea for help on disclosure :

I'm trying to draw out all of the reasons why people are opposed to change in disclosure habits, so we can overcome them.

I am not exactly opposed but curious, as I see the issues differently. So in a sense, deferring for a moment a brief comment on the essay, here are a few comments on disclosure.

  1. Disclosure is something that is very hard to isolate. SB1386 was a big win, but it only covered the easy territory: you, bad company, know the victim's name, so tell them.
  2. Disclosure today doesn't cover what we might call secondary disclosure, which is what Adam is looking for. As discussed Schechter and Smith, and in my Market for Silver Bullets:

    Schechter & Smith use an approach of modelling risks and rewards from the attacker's point of view which further supports the utility of sharing information by victims:

    Sharing of information is also key to keeping marginal risk high. If the body of knowledge of each member of the defense grows with the number of targets attacked, so will the marginal risk of attack. If organizations do not share information, the body of knowledge of each one will be constant and will not affect marginal risk. Stuart E. Schechter and Michael D. Smith "How Much Security is Enough to Stop a Thief?", Financial Cryptography 2003 LNCS Springer-Verlag.

    Yet, to share raises costs for the sharer, and the benefits are not accrued to the sharer. This is a prisoner's dilemma for security, in that there may well be a higher payoff if all victims share their experiences, yet those that keep mum will benefit and not lose more from sharing. As all potential sharers are joined in an equilibrium of secrecy, little sharing of security information is seen, and this is rational. We return to this equilibrium later.

  3. Disclosure implies the company knows what happens. What if they don't?
  4. Disclosure assumes that the company will honestly report the full story. History says they won't.
  5. Disclosure of the full story is only ... part of the story. "We lost a laptop." So what? "Don't do that again..." is hardly a satisfactory, holistic or systemic response to the situation.

    (OK, so some explanation. At what point do we forget the nonsense touted in the press and move on to a real solution where the lost data doesn't mean a compromise? IOW, "we were given the task of securing all retail transactions......")

So, while I think that there is a lot to be said about disclosure, I think it is also a limited story. I personally prefer some critical thought -- if I can propose half a dozen solutions to some poor schmuck company's problems, why can't they?

And it is to that issue that Adam's essay really speaks. Why can't we change? What's wrong with us?

Posted by iang at April 17, 2007 03:42 PM | TrackBack

as i've periodically mentioned before, we were brought into help word smith the cal (state) digital signature legislation ... and then later the federal legistlation

as part of that activity we were exposed to some of the disclosure/notification legislation work going on ... both with regard to the use of personal information as well as security breaches and data breaches. a few recent posts in various
threads mentioning notification/disclosers

this somewhat, subsequently also got us roped into co-author of x9.99 financial privacy related standard ... somewhat in support of that activity i had done a merged privacy taxonomy and glossary ... reference here

and for other topic drift, some other recent threads ... much more on the integirty and security side of the topic ... as opposed to the notification/disclosure side of the topic

and separate part/aspect (which touches slightly more on some
of the business issues) in the same thread

Posted by: Lynn Wheeler at April 17, 2007 07:24 PM

I would add one other factor from Brian Chess at last year's OWASP conference. He talked about new companies that have low security risk (they have not accumulated assets yet), but high market risk (they need to build a business). Over time, successful companies accumulate assets and market position, these lines intersect, the company is successful they have lower risk on market share and they become a bigger security target, and so on. He was taling about startups, but I think the same concept applies in how firms perceive new solutions in general. SInce the lines cross over time this also explains why security always feels like it is playing catch up


Posted by: Gunnar at April 18, 2007 09:06 AM

It's not that we're unable to propose solutions, it's that they're hard to compare. My assertion is that once we overcome the desire to hide our errors, we can learn to compare in better ways.

Posted by: Adam at April 18, 2007 04:10 PM

recent article from yesterday

Banks must come clean on ID theft

from above:

Two separate studies recently reached conflicting conclusions: While one found that identity theft is on the rise significantly, the other reported that it is on the decline.

So which is it?

... snip ...

i had made a similar observation a month ago
http://www.garlic.com/~lynn/2007e.html#29 Securing financial transactions a high priority for 2007

also referenced here
http://www.garlic.com/~lynn/2007h.html#48 Securing financial transactions a high priority for 2007

previous post in this thread

and my oft repeated reference to old post on security proportional to risk

and in some of the existing environments the attackers can possibly out spend the defenders possibly as much as 100:1
http://www.garlic.com/~lynn/2007f.html#75 Securing financial transactions a high priority for 2007
http://www.garlic.com/~lynn/2007g.html#20 T.J. Maxx data theft worse than first reported

Posted by: Lynn Wheeler at April 18, 2007 08:06 PM

Cant believe they disagree if id theft is increasing or decreasing...

Posted by: H. Dameure at April 8, 2008 05:36 PM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.