Regaining perspective on security problems

With all the bad security news that has come out over the last few months, you might think the sky is falling. Once a story catches people's attention, we start seeing it everywhere, kind of like noticing a lot of blue cars after you just bought a blue car. The problem with all this is that it distorts the conversation and we may fail to notice the really important security lessons that can be learned:

• Not all attacks are equivalent. Lumping Lockheed Martin and Sony in the same sentence does enormous injustice to Lockheed. There's a huge difference between a company that has been the constant target of attacks and has once again thwarted a serious concerted effort to breach its defenses ... and a company that got hacked three or four times in a row because of woefully inadequate attention to security, verging on negligence.

MORE ON SECURITY: Does the IRS need more options to fight identity theft?

To continue reading, register here to become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

With all the bad security news that has come out over the last few months, you might think the sky is falling. Once a story catches people's attention, we start seeing it everywhere, kind of like noticing a lot of blue cars after you just bought a blue car. The problem with all this is that it distorts the conversation and we may fail to notice the really important security lessons that can be learned:

• Not all attacks are equivalent. Lumping Lockheed Martin and Sony in the same sentence does enormous injustice to Lockheed. There's a huge difference between a company that has been the constant target of attacks and has once again thwarted a serious concerted effort to breach its defenses ... and a company that got hacked three or four times in a row because of woefully inadequate attention to security, verging on negligence.

MORE ON SECURITY: Does the IRS need more options to fight identity theft?

• The sky is not falling. The increase in perception of attacks is not necessarily reflecting an increase in volume or severity. Better reporting by companies and laws compelling notification have brought to the surface a lot of stuff that used to be hidden.

• The Internet matters more. It is hard to really appreciate just how much the Internet has grown in size, breadth of applications, ubiquitous availability and "entanglement" with our lives in just the last three years. We depend on the Internet much more than before, so we are affected or feel threatened when any part of it is attacked.

• Cybercrime will be with us forever. If a politician promised to eradicate crime in our streets, we would laugh at those naive enough to believe it. Crime is part of all societies and can never be completely eradicated. We make silly distinctions, naming it "cybercrime," as if that means it is truly distinct from "crime." Yet we don't talk about "telephone-criminals" or "auto-criminals." The means do not make the crime. So relax, cybercrime is here to stay and we have to treat it like a permanent inconvenience and cost of life.

So that's the positive lessons we can learn to dampen the hysteria. We can also learn a bit about security from these attacks though:

• Architecture matters. Centralized systems create a single point-of-failure, or in the case of security, a single point-of-compromise. We have seen this when comparing Skype and RIM BlackBerry, where one is fully distributed and cannot offer keys even if asked and the other was pressured by governments to allow eavesdropping. The best way to protect keys is to not store them centrally. The RSA breach is not a story of a company that failed to be secure. It is the story of a company that did not architect for failure and kept customer keys on its own infrastructure.

• Security by obscurity fails. The "secret" algorithm for RSA SecurID is probably no longer "secret." That should have been immaterial, but clearly it was considered a point of strength, not a point of weakness. Honesty in public pronouncements may damage reputation short-term, but hand-waving for the sake of "customer privacy" and in service of shareholder value sets companies up for a bigger fall when the full truth comes out. Full disclosure is how you build trust, and once trust fails the price may be steep.