Shark Bait

Knowledge Centers

Operating Systems

Networking & Internet

Mobile & Wireless

Security

Storage

Business Intelligence

Servers & Data Center

Computerworld Reports

Industry

See your link here

Jerri Ledford

The current state of security is no surprise

6 comments

IT TOPICS:Security

Tell us something we didn't know. That's what I thought when I read this CW article about the state of security. My snide comments aside however, I think this is the most articulate explanation for why security isn't getting any better. And as far as I can tell, it's right on the money.

For starters, security isn't getting any better, no matter how hard companies are struggling to improve it and how much of the budget those companies sink into it. And all it takes to see just how all of those efforts aren't working, is to look at the news on any given day. It's never more than a few days between announcements for the latest security breach.

All of these efforts don't work because of the changing nature of computer hacking. As Lemon points out in this article, hackers today are not what they used to be. Unfortunately, the image of those hackers hasn't evolved with the changes. For example, when you hear the term hacker, what do you think of? Most people think of a pasty-faced teenager that spends entirely too much time in front of the computer or one of the 80's computer geeks that were so popular in early moving about computer hacking.

In truth, a hacker might be the guy sitting next to you on the train or in the next cubicle in the office. For that matter, hackers can be well-respected business mean or thugs that hang out on the corner. And that's the point. Hackers are just like the other criminals in today's society--they're hard to distinguish from anyone else, and they're motivated by either (most frequently) financial or personal gain. First generation hackers were about gaining access. Today's hackers only care about access in as much as it's needed to gain a financial payoff.

So, according to Bruce Schneier, as written in the CE article:

"Look for the economic levers," he said. "If you get the economic levers right, the technology will work. If you get the economics wrong, the technology will never work."

What more can I add? Schneier has hit the the ball right into the corner pocket. It might even be the missing link in preventing security breaches. In order to stop other types of crime, like terrorism and drug trafficking, on of the most used strategies for preventing the spread of the crime is to cut off the financial supply. Since hacking has become a crime about money, finding a way to stop the money flow will go a long way toward stopping the crime.

How do we do that? It's got to start with education. Education of consumers and of the companies with which those consumers do business is a good start. And great strides in education have been made. But beyond that, there may also need to be a change in behaviors. Companies will need to change their online marketing tactics and consumers will have to change their online behaviors.

It's all well and good in theory, but putting it into practice is a much different story. And it's one that's still be written.

Email this

Digg this

What People Are Saying

Add new comment

The idea of holding software

Submitted by Anonymous on September 30, 2006 - 8:41 P.M.

The idea of holding software producers liable for the failures in their software inevitably misses the fact that the software producers will just roll the extra cost into the software anyway. If you want more secure software, pay for it. The legions of enterprises that use insecure software are a testiment to the fact that most companies don't value security enough to pay for it.

Considering that, maybe the pain needs to fall on the companies that keep choosing insecure software.

Report this comment

Education is pretty much

Submitted by Anonymous on September 22, 2006 - 3:09 P.M.

Education is pretty much exhausted as a means of addressing the problem, I think. I am also not really sure it was all that efficient in the first place as it works as a solution to the result and doesn't really address the source of the problem, I think. And one of the problem sources is that the way security is implemented in software is overly complicated and with a somewhat much flat learning curve for those developers interested, if any. Complexity leaves rooms for errors and that's how you get security bugs. OOP with its "blackbox" promise can provide an answer there but I still have to see one in the making.

A separate source I think is that there aren't really any case-specific and easily applicable benchmarks by which you'd know if your implementation is secure or not. Hope there's going to be some investment in research there soon as most security departments I know of are slumped with 'mop-up' type of work...

Report this comment

When are software companies

Submitted by Kirk on September 22, 2006 - 9:18 A.M.

When are software companies going to be made responsible for selling 'lemons'. If auto makers, medical supply companies, toy companies, etc. are liable for faulty products, why aren't software companies being made liable for their faulty products?

The reason why is because we buy autos, drugs and toys, but we license software. We don't own it, we just use it. Microsoft, et al, own the software and need only answer to themselves. The EULA (End-User License Agreement) says so. Frustrating, but true.

Second, autos, drugs and toys are held mainly to safety standards, not efficacy. For the most part if an auto, drug or toy doesn't hurt or kill, it's OK. Spreadsheets and word processors don't hurt or kill when they break.

Yes, drugs must perform as advertised and autos must follow CAFE, DOT and EPA standards. But all of these grew out of preventing harm to the public by snake-oil salesmen and cars without seatbelts. The first time someone dies from a "Blue Screen of Death" is when you'll see a call for legislation.

Report this comment

I agree with the statement

Submitted by Anonymous on September 21, 2006 - 10:06 A.M.

I agree with the statement made by IDG about liability however I think this needs to be very careully handled as the term secure and bug free have become, in a lot of peoples eyes, synonymous and I believe this is a serious mistake. Also a lot of the holes and opportunities that hacker's exploit are the result of unpatched systems due to user laziness etc in not patching.

This in no way frees any software company from liabilty etc for negliegence etc.

However the flip sude is also true. Can you imagine the uproar if MS or anyone else shipped an OS with mandatory patch installations and there was no way to turn it off?

Just a few thoughts on what is an interesting and complex issue.

Report this comment

I think one of the key

Submitted by Anonymous on September 21, 2006 - 7:10 A.M.

I think one of the key points made by IDG and Bruce Schneier about security is, "To improve the security of software, Microsoft Corp. and others should be made liable for selling software that is not secure. 'When you use buggy software and you lose data, that's your loss and not the software company's loss',Schneier said."

When are software companies going to be made responsible for selling 'lemons'. If auto makers, medical supply companies, toy companies, etc. are liable for faulty products, why aren't software companies being made liable for their faulty products?

Is it a matter of 'who has their hand in whose pockets' or 'society isn't motivated enough to push this issue'?

It's a scary thing, that's for certain.

Report this comment

There will always be

Submitted by Anonymous on September 27, 2006 - 12:09 P.M.

There will always be vulnerabilities in software. There is no way that every possibility can be thought of when building the software.

Just because you have a fence around a building to keep people out, the front desk person still may let someone in who shouldn't be there. Does that mean that the fence company is at fault.

There are several ways to make sure that your data is secure and not lost without just blaming the software for it.

Report this comment

Your next stop ... the Password Zone

Latest threat vector: Our mobile devices

Obama Drupal-ing around; whitehouse.gov goes open source

Testing Microsoft Security Essentials and the Hosts file

LIVE Nov 10, 2009 12:00 PM ET

Architecting Business Intelligence Applications for Change: The Open Solution

LIVE Nov 12, 2009 02:00 PM ET

The State of PCI DSS Compliance at Organizations Today
Download this resource today!

Managing Secure File Transfer to Save Time, Money and IT Resources
Learn how companies are using innovative technology to overcome these challenges and improve user productivity by offloading e-mail attachments and replacing FTP with...

Can Heuristic Technology Help Your Company Fight Viruses?
What is Heuristic Technology and how can it help safeguard your business against viruses? Learn more.

Security Convergence Equals Network Security Cost Savings
Listen to IBM Internet Security Systems' take on network security convergence.

Why Email Must Operate 24/7 and How to Make This Happen
Learn how to avoid an email outage by implementing a hosted email continuity solution.

Lower the Cost and Complexity of a Mobile Workforce through Automation
Download This Resource Now!

All White Papers | All Webcasts

Computerworld Reports

8 Questions To Ask About Your Intrusion-Security Solution

Computerworld Technology Briefings IT Service Management

Computerworld Briefing - Analytics: The Art and Science of Better

All Computerworld Reports

Receive the latest technology news and information.

	Computerworld Daily News (First Look and Wrap-Up)
	Computerworld Blogs Newsletter
	The Weekly Top 10

View all newsletters

* E-mail Address:

* Industry:

* Job Title:

* Company Size:

* Country:

* State:

I would like to receive offers via e-mail from Computerworld partners.

Jerri Ledford's Archive

IT Topics

Sponsored Links

Play NetApp's New Data Defense Game.

How Do You Rank as an Innovation Leader? Download Recent Study.

Play NetApp's New Data Defense Game.

Extraordinary times demand Brocade Extraordinary Networks.

No Payments for Up to 6 Months on Orders over $500.

NetScaler VPX : Harness the Power of Virtualized Web App Delivery

64-page prescriptive guide to security, compliance, and IT operations.

Streamline IT Costs. Boost Performance with WAN Optimization

Enterprise Network & Server Monitoring Software. Cross over to Traverse...

Keep your IT expertise up to date. Join the Intel Premier IT Professionals.

Crystal Reports Server: More options. Not more money.

Parallelism is not just for HPC. Create rich apps from desktop to device. Get the eval.

Tolly Performance Report "Citrix NetScaler with nCore Outperforms F5 BIG-IP"

Save up to 61% plus Free Cheesecake

Find IT jobs in the Healthcare industry on Dice.com

With the NEW KODAK i700 Series Scanners get full speed at 300dpi!

Not All QSAs Are Created Equal: What You Should Know Before You Buy

The arrival of Serial Attached SCSI (SAS) marks a new era in storage scalability

The AMD Virtual Experience Virtual Trade Show

New DW Options and Price Points. View Teradata Platform Family Data Sheet.

See how AT&T can help protect your network.

3 Innovations. 3 Free Downloads. Free trials of Windows 7, Windows Server 2008 R2 and Exchange Server 2010.

Take the Netezza TwinFin TestDrive!

Citrix NetScaler with nCore Outperforms F5 BIG-IP - Learn More

New Analytical Platform Options. Download Data Sheet and More.

Get more enterprise mobility value for up to 25% less.

Unified Communications: Thoughts, Strategies and Predictions. Join the discussion.

NYUs M.S. in Management and Systems. Offered Online and On-site.

Increase UPS efficiency without sacrificing protection

Crystal Reports Server: Single server access to reports & dashboards

Create new opportunities. See business making progress now

ESET NOD32 with ThreatSense(R) - Get your free trial now!

Looking to add Unix/Linux functionality to Windows?

Join the conversation about the hottest IT trends with Computerworld on Twitter.

ITwhitepapers.com - Access thousands of white papers on 300+ technical topics.

Leverage Your Cisco infrastructure for Superior Application Performance

Learn about the AMD Virtual Experience

Introducing: Project Icebreaker

About Us Advertise Contacts Editorial Calendar Help Desk Jobs at IDG Privacy Policy Reprints Site Map

CIO

Computerworld

CSO

DEMO

GamePro

Games.net

IDC

IDG

IDG Connect

IDG Knowledge Hub

IDG TechNetwork

IDG Ventures

IDG.net

InfoWorld

ITwhitepapers

ITworld

JavaWorld

LinuxWorld

Macworld

Network World

PC World

The Industry Standard

Copyright © 1994 - 2009 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of
Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.

The current state of security is no surprise

What People Are Saying

The idea of holding software

Education is pretty much

When are software companies

I agree with the statement

I think one of the key

There will always be

Related Posts

Today's Top Stories

Hot Posts

Recent Comments

White Papers & Webcasts

Computerworld Reports

Newsletters

Jerri Ledford's Archive

IT Topics

Sponsored Links