Published: 01 Sep 2004
George Santayana's warning, "Those who cannot remember the past are condemned to repeat it," is constantly played out by infosecurity professionals, especially in the unfortunate repetitions of easily prevented security failures and wasteful overreactions to threats.
Security practitioners who lack a firm foundation in the profession's history will continue to retard infosecurity's growth as a mature discipline. Measuring risk and generating enterprise security best practices are impossible without applying historical experience. Case in point: the general lack of skepticism about "hostile Web sites." This summer's warnings about vulnerabilities in Internet Explorer had a familiar ring to them, and for good reason--we've had multiple, similar warnings for more than a decade, ever since Java was mistakenly characterized as a significant danger to the Internet. Security pros with a grounding in history won't squander resources on such low-risk threats. They know HTTP is an insignificant source of malware compared to e-mail, file sharing and Usenet. Perspective provides the insight that malware creators don't use Web sites to deliver attacks. Browser vulnerabilities are much less urgent than the media and vendors would like us to believe.
Intrusion prevention, another fad, is enticing practitioners with the promise of real-time automated detection and response to threats and attacks. Yet, a quarter century of hard work hasn't produced an attack detection technology that can be effectively implemented by a large number of organizations. Those hoping to implement IPS are going to be much better prepared for the challenge if they are aware that hundreds of doctoral candidates and tens of thousands of organizations have failed in their attempts to solve this particular problem. History becomes the benchmark for realistic expectations.
Software risk reduction is another example. Thirty years of formal penetration testing has demonstrated that it's a reliable way of identifying vulnerabilities. What history hasn't demonstrated is that the penetrate-and-patch paradigm is a cost-effective approach to risk reduction. To the contrary, for at least 15 years, research projects have concluded that the most reliable way to reduce vulnerabilities is through better software design, infrastructure architecture and implementation practices. The lesson: The earlier security is included in the software development process, the better the risk reduction.
Our inattention to history has caused us to emphasize basic security goals that aren't aligned with business goals. Corporations have traditionally emphasized data authenticity and availability. Perversely, digital security technology has consistently emphasized confidentiality instead of integrity and nonrepudiation. A reasonable explanation is that our profession continues to be influenced by the military and its need for secrecy. The emphasis on confidentiality has left us ill-prepared for today's common threats: phishing, spam and worms. Knowledge of business history provides a clear understanding of our purpose, and knowledge of infosecurity history explains why we aren't on track.
History is the breeding ground of best practices. Our predecessors went to great expense to provide us with the foundation tools, knowledge and experience. Studying their trials and errors can only make us better.
About the author:
Jay G. Heiser is a London-based security analyst with TruSecure Corp.