[ISN] The Complete, Unquestionable, And Total Failure of Information Security.

From: InfoSec News (isn@private)
Date: Thu May 11 2006 - 02:23:28 PDT


by Noam Eppel
Vivica Information Security Inc.
May 8th, 2006

Boiling Frog Syndrome

They say if you drop a frog in a pot of boiling water, it will, of
course, frantically try to scramble out. But if you place it gently in
a pot of tepid water and turn the heat on low, it will float there
quite complacently. As you turn up the heat, the frog will sink into a
tranquil stupor and before long, with a smile on its face, it will
unresistingly allow itself to be boiled to death. The security
industry is much like that frog; completely and uncontrollably in
disarray - yet we tolerated it since we are use to it.

It is time to admit what many security professional already know: We
as security professional are drastically failing ourselves, our
community and the people we are meant to protect. Too many of our
security layers of defense are broken. Security professionals are
enjoying a surge in business and growing salaries and that is why we
tolerate the dismal situation we are facing. Yet it is our mandate,
first and foremost, to protect.

The ramifications of our failure is immense. The success of the
Internet and the global economy relies on trust and security. Billions
of dollars of ecommerce opportunities are being lost due to inadequate
security. A recent survey of U.S. adults revealed that three times the
number of respondents believed they were more likely to be victimized
in an online attack than a physical crime. A recent Gartner survey
that indicated that 14% of those who had banked online had stopped
because of security concerns, and 30% had altered their usage. People
are simply losing trust in the Internet.

The security community is not just failing in one specific way, it is
failing across multiple categories. It is being out innovated.

It is losing the digital battle over cyberspace.

Failing? Says Who?

Today we have forth and fifth generation firewalls, behavior-based
anti-malware software, host and network intrusion detection systems,
intrusion prevention system, one-time password tokens, automatic
vulnerability scanners, personal firewalls, etc., all working to keep
us secure. Is this keeping us secure? According to USA Today, 2005 was
the worst year ever for security breaches of computer systems. The US
Treasury Department's Office of Technical Assistance estimates
cybercrime proceeds in 2004 were $105 billion, greater than those of
illegal drug sales. According to the recently released 2005 FBI/CSI
Computer Crime and Security Survey, nearly nine out of 10 U.S.
businesses suffered from a computer virus, spyware or other online
attack in 2004 or 2005 despite widespread use of security software.
According to the FBI, every day 27,000 have their identities stolen.
And companies like IBM are putting out warning calls about more
targeted, more sophisticated and more damaging attacks in 2006.

Something is seriously wrong.

One only has to open a newspaper and view current headlines
documenting the almost constant loss of personal and financial data
due to carelessness and hacking. It isn't just careless individuals
that are leaking confidential information - it is large, multinational
corporations with smart, capable I.T. departments with dedicated
security professionals and huge security budgets.


Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.

This archive was generated by hypermail 2.1.3 : Thu May 11 2006 - 02:40:11 PDT