- BlogInfoSec.com - https://www.bloginfosec.com -

Do Security Professionals Create Security Breaches?

“ … you’re either part of the solution or you’re part of the problem.”

Eldridge Cleaver, 1968

The explanation for the 1000 point drop and bungee rebound in the Dow Jones on May 6, 2010 has been, and continues to be, the object of much scrutiny. Many explanations and combinations thereof have been put forward. Perhaps the most interesting, and in some senses the most disturbing, is the article “Did a Big Bet Help Trigger ‘Black Swan’ Stock Swoon?” reported by Scott Patterson in the May 11 issue of The Wall Street Journal  … and yes, Jacob Bunge did contribute to this article also.

As you may recall, I have long touted Nassim Nicholas Taleb’s book, The Black Swan, in which he warns about our lack of anticipation of low-probability but high-impact adverse events. Well, according to the WSJ article, Universal Investments LP, a hedge fund with  Mr. Taleb as an adviser, might have been instrumental in the huge stock market price decline by exacerbating an already-falling market through placing huge bets that the market would tumble further.  Apparently this action might have triggered a series of events leading to the “flash crash,” notwithstanding issues that arose in regard to how the various marketplaces invoked (or didn’t invoke) circuit breakers.

The above issues raise an interesting question in regard to cause and effect for information security professionals. The question relates to the degree to which we might actually be creating problems rather than reducing them. There is a frequent refrain by management, which is based on actual experience (mine included), about there not being a need to spend so much on security since nothing bad has happened. The converse to that is the statement that we only started being attacked after we had installed firewalls, since we could then observe a continuous series of attempts to break into the systems.

Of course, this is faulty reasoning … yet there is a modicum of truth to it. It is not that security professionals cause break-ins, but there is little doubt in my mind that, by raising the bar, we are cultivating smarter, more sophisticated and more effective forms of attack. Much as the excessive and inappropriate use of antibiotics often results in more virulent drug-resistant microbes, so we are seeing the growth of highly-professional technically-brilliant attackers against systems that have been well protected against earlier malware.

So, you might be thinking, are you suggesting that we back off the escalating security arms race and give the bad guys free reign? Clearly that makes no sense. In fact, what we try to do is to get ahead of the attackers, which to date has been a discouraging effort, to say the least. It is human nature to step up to such challenges. But we should do it in ways that make sense and have some chance of success. The U.S. government and its agencies are looking for “game-changing” technologies to beat the criminals and terrorists, but my response to that is that the bad guys don’t play by the rules anyway, so why change the game? They’ll only break the rules again.

No, the answer isn’t fully a technical one. Humans are very good at getting around or subverting preventative technologies, if not directly then through social engineering and threats of physical harm (most movies on the topic favor the latter for its visual entertainment value). So we really have to address the human and social factors. Avoidance and deterrence remain when preventative approaches have been exhausted. We must cajole or pressure individuals to behave in a manner that protects and preserves information assets. And we must limit exposure of such assets to potential damage and compromise.

I wrote about the human role and its impact on security in the chapter, “An Adaptive Threat-Vulnerability Model and the Economics of Protection,” in the book Social and Human Elements of Information Security: Emerging Trends and Countermeasures, edited by Manish Gupta and Raj Sharman (IGI Global, 2008).

It is likely that, when the post mortem of the May 6 dive in the Dow Jones is eventually completed, we will discover that human elements were just as great contributors as were technology and processes. It will also become more apparent that computer systems multiplied human activities by orders of magnitude, thereby greatly exacerbating their impact for good and for evil. Many were part of the problem … and few, if any, were part of the solution. Whether an effective solution can be implemented remains to be seen.