Friday, November 16, 2007

Protecting Against Yesterday's Threats

Over at Bruce Schneier's blog there's a reference to a paper that includes the criticism of security efforts that "Most 'security' efforts are designed to stop yesterday's attacks but fail completely to stop tomorrow's attacks and are of no use in building invulnerable software. These efforts are a distraction from work that does have long-term value." While I understand the frustration the author of the paper must feel from dealing with the aftermath of new attacks which are not prevented by backward looking technology, I think the criticism is misplaced. The systems which are the most vulnerable are not the ones which will be compromised by an innovative new hack - they're the ones that can be compromised using hacks that have been known for years. Case in point: TJX, where the largest data breach in history took place because of TJX's use of Wired Equivalent Privacy which was known to have been compromised years before the breach (article here). If TJX had protected against yesterday's threats, the individuals who hacked it might have moved on to try and find a softer target, rather than trying to develop some innovative new attack technique to get through at TJX.

From a legal perspective, focusing on the threats of the past also makes sense. In many cases, liability will swing on whether some harm was foreseeable or whether an actor exercised reasonable care. In a court case, it's much harder to argue that a risk of a data breach wasn't foreseeable, or your care was reasonable, if you hadn't even protected against yesterday's (i.e., known) threats. This isn't to say that it isn't also important to try and head off threats before they materialize by using good security practices. However, it's important not to let the perfect be the enemy of the good, or to let the value of learning from the past be overlooked.

No comments: