Information Security - The Vicious Cycle

The Security Industry

Let's take a moment to reflect on the Industry that has been created around Information Security.

Growing threats continue to plague our digital existence:

In response to these threats, we have a number of different solutions available.

After all these different products, services, and regulations, where are we?

* Automotive:

* Financial Services:

* Healthcare payers and providers:

* Power and Utilities:

Incidents detected by power and utilities respondents skyrocketed in 2014, with compromises attributed to sophisticated adversaries like foreign nation-states and organized crime showing the highest year-over-year growth. Attrition in critical strategies, processes, and personnel skills, as well as erosion in fundamental cybersecurity initiatives, may further intensify risks.

* Retail and Consumer:

Respondents detected 19% more security incidents in 2014, including several very high-profile retail data compromises. Despite the publicity, information security budgets declined over 2013. We also found shortcomings in data governance, increasing threats from third parties and insiders, and a lagging commitment to key strategic security practices.

The list continues to grow:

* Technology:

Major open-source technologies that make up the fabric of the internet have been drawn into the limelight as Security Vulnerabilities started taking on named personifications:

Further, you need only look to Packet Storm Security to see the long list of vulnerabilities found in major software products, including those Security Solutions designed to protect from security attacks.

Misplaced Spending

Lenny Zeltser did a great job at summing up the Worrisome state of the Information Security Industry

Conflicting Priorities

The Security Industry has become imbalanced and lost in its own maelstrom of self perpetuation and justification.

It has become apparent that this approach is an unwinnable game of wack-a-mole.

Trends toward tighter deadlines, continuous integration, faster deployments, more data-mining, and less obstacles for users to click-through are in competition with priorities meant to ensure stability, provide security, and enable accountability; all of which -slow down- the machine.

Investments gravitate toward "turn-key" solutions and contractual services that can serve to check a box, or plug a hole.

Breach remediation may even take a turn toward being counted as the cost of doing buisness.

Worldwide Security and Vulnerability Management has been valued at an estimated 5.7 Billion dollar market

Researchers flock to Penetration Testing, and Vulnerability discovery, where the notoriety and money are. The payout from Pwn2Own recently topped $440,000.00 for 21 critical bugs found in all major web browsers.

Bug bounty programs are seemingly everywhere.

Yet, where are the competitions for designing fault tolerant software and products in the first place? We have gladiator-like events encouraging the brightest minds in the field to break software.

Where are the contests and incentives encouraging these same bright minds in the industry to build fortified software that the world can benefit from???

Sure, you can break it... but can you build it!?

The real investment we need is: quality. Higher quality products, higher quality behaviors, processes, and procedures; Things that can be difficult for businesses to justify when the clock is ticking and time is working against them.

Just as TProphet has recently suggested, It's time to do Infosec Differently. The serious conversations need to start now.

Whether you manufacture Firewalls, or Automobiles, no vendor is immune to the bad habits and mistakes that are at the core of these security holes.

SuperNova of the Internet of Things

The next revolution is before us. It presents a distinct opportunity for major evolution, or catastrophic failure in our existing fragile infrastructure.

So much of the complexities of the world around us is hidden from view. Many every day devices and services rely on the obscurity of their design to protect from tampering.

We've already begun interconnecting these devices, it hasn't taken long to discover the magnitude for potential disaster.

These flaws stem from the imperfection of human nature and to combat them will require a change in behavior that breaks the cycle; continuing to try to thwart these vulnerabilities with more products will only serve to make the attack surface area larger.

We need to strive for better harmony between builders and breakers; security literally hangs in the balance.