Digg this story   Add to del.icio.us   (page 1 of 3 ) next 
Security still underfunded
Kelly Martin, 2005-08-03

Blackhat is one of my favorite places to do some casual online banking over an insecure WiFi connection. Where's the risk, right? All joking aside, Blackhat is in fact a great place to do some deep thought on the current state of the security industry.

Yes, the industry has grown a great deal and many things are now big. There's big money and big players, but most of all there are still big vulnerabilities and exploits -- some of which easily dwarf the immense amount of time and effort that is being used to combat them. Are we making any progress at all? I'm not so sure.

It's money that matters

Many of the Blackhat presenters work as researchers for small, independent security companies. As more and more money pours into the industry, smaller companies get bought by larger players. During any buyout, individuals are enticed to remain with the company using financial incentives -- which works to some extent. Despite all this, research into new vulnerabilities and attack vectors continue, individuals leave organizations and move on.

Sometimes, the more profound research presented at Blackhat has quite the opposite effect than it should have. Case in point: Michael Lynn and his now-famous Cisco IOS presentation, given to an eager audience in a Blackhat presentation room that was barely half-full. I enjoyed his demonstration. But let's see... what is the best approach to thwart the work of a security researcher: threaten him with lawsuits to keep him quiet, or offer him a job and large sums of money to have him on your side and improve your company's product offering and security?

Big risks

Companies and governments secure their networks because they have massive financial resources, intellectual property and assets that need protection. Security for most companies, particularly the Fortune 100, does not exist in a vacuum -- most do something other than make hardware or software for their customers. Spending on security is up dramatically over where it was five years ago, but it's still much lower than it needs to be. Why? Because we're losing the battle.

I have always enjoyed the analogy of the guy who owns an expensive car like a Porsche, yet keeps it secure in a garage with a door lock that's barely worth $100. If the threat of the lock being broken so the car gets towed away in the middle of the night is high enough, how much should he spend on a lock? A thousand dollars? Ten thousand?

Story continued on Page 2 



Kelly Martin has been working with networks and security since 1986, and he's editor for SecurityFocus, Symantec's online magazine.
    Digg this story   Add to del.icio.us   (page 1 of 3 ) next 
Comments Mode:
Rooting the Fortune 100 2005-08-04
Anonymous
Security still underfunded 2005-08-04
Anonymous (1 replies)
Re: Security still underfunded 2005-08-09
Anonymous
Security still underfunded 2005-08-04
Don Parker (1 replies)
Re: Security still underfunded 2005-08-05
Alexey Vesnin
Security still underfunded 2005-08-05
Todd Knarr (1 replies)
Re: Security still underfunded 2005-08-11
SctySpc
Security still underfunded 2005-08-09
Trustifier
Security still underfunded 2005-08-09
NDA_Compromised
Security still underfunded 2005-08-11
Anonymous


 

Privacy Statement
Copyright 2010, SecurityFocus