I came across an article colleague Stephen Kent and I wrote in 2003. The Sad and Deplorable State of Internet Security, and was struck once again at how little progress we've made on issues we were lamenting over a decade ago.
The issues that most concerned us in 2003 were:
Insecure Architectures. In 2003, we said that security problems frequently arise due to "time-to-market priorities, inadequate security understanding by product architectures and the (perceived) conflict between ease of use and security."
Lack of User Awareness or complacency. In 2003, we said "Many non-technical users are entirely unaware that their systems are easily exploited and their sensitive data are left vulnerable..."
Persistently lame authentication. In 2003, we described password authentication as "fundamentally flawed".
Poor Software Engineering and Sloppy Management. We lamented the slow or no adoption of secure coding practice and a persistent inability to rigorously configure to secure software and computers.
Have we shown substantive progress to mitigate any of these issues? I think we can say "some progress" in some areas; for example, we do see more adoption of two factor authentication. This success is arguably a derivative benefit of mobility: more users have a device that can host a second factor method, but I'll take a win. We can also claim progress in user awareness. Consumer-focused projects like STOP.THINK.CONNECT. have global reach and impact. SANS' Secure the Human project is spot on and I'm encouraged by the number and variety of organizations that are participating.
But we remain mired in a security mentality that masks rather than mitigates architectural, software or hardware shortcomings with "protection" software. We are on the verge of adopting an Internet of Things and I see little evidence that we won't haste-to-market with what's available and cheap rather than innovative and developed with secure practices.
We are locked still in a "what will sell" mindset. Given the potentially globally disruptive effect that the Internet of Things suggests, isn't it time we think "what will serve, securely"?
You can read the full text of the article in the frame below:
or download Sad and Deplorable State of Internet Security (pdf)