Security State of the Union - Status quo

I'm taking today to catch up on some blogging that has been lagging, so let me take on the meme about whether security is getting better. Are we winning or losing the battle? What does the future hold?

Bruce Schneier starts the discussion (here) in his usual fashion, thought provoking and irreverent. Bruce makes some good points and I agree with most of them. Clearly the economic motives have changed for hacking, I've only said that a million times. The environment is much more complicated now and only getting more so, so we aren't going to get any relief from new stuff. SOA and web-services, virtualization, and fat browsers are all going to complicate life and make things less secure - that's a fact.

But I think trying to address the economic levers is a fool's errand. You are trying to change human nature and overhaul behavior, undermining free markets. That's not a good strategy. So I don't think we'll make much progress is stopping crime or making it less lucrative. I'm pretty sure folks have been trying to do that for as long as there's been crime.

Jerri Ledford (here) and Alan Shimel (here) also weigh in on the discussion. Jerri getting into line with Bruce and Shimel picking apart some points being the optimist that he is. Yes, there are some aspects of life that are better. Patching is smoother (at least from Microsoft) and security is closer to the top of mind, though that's in danger of changing if we don't start delivering demonstrable results. We also do see less DDoS attacks, but that's because there isn't much money in it.

So what do we have to look forward to? I'll say pretty much the status quo. Since the beginning of time, you've always had a couple of different types of users.

1. The Enlightened - These folks aren't necessarily the early adopters, but they are the real adopters. They do stuff that makes sense and for the most part are protected. They can react quickly when something happens, and when you talk to them - you know they know. These folks will handle the coming complexity just like everything else, thoughtfully and effectively. This is maybe 5% of the population.
   
   
2. The Lucky - These are the folks that you sit with and they think they have all the answers. They buy the product du Jour from the vendor du Jour, and when you challenge them, they push back in a huff of righteousness - well we haven't been hit, so we are cool. To be clear they are lucky, not good. There is a big difference. This is at least 40% of the companies out there. Before long, they'll become the next type of user...
   
   
3. The Compromised - These folks have religion because they were tossed out of the car at a high rate of speed. They've had a problem and then they've thrown money at it. I could also have called these folks the "unlucky." Most of the stuff they've bought has been useless so 6-8 months after the issue (and after the hangover from their spending orgy subsides) they have a feel for what they are doing. Most find the path to enlightenment. Some revert back to being lucky. At any given time, this is about 15% of the users out there.
   
   
4. The Ostriches - These folks play Russian Roulette every day. They don't do much because either they can't get the funding or they are just plain stupid. They keep their head in the sand and hope that when something happens, they don't get caught holding the bag. This is the remaining 40% out there and sooner or later they'll get compromised and then either transition to being lucky or enlightened.

Great, now we get my arbitrary categorization of users, but who cares? Well, as we see things continue to evolve and become more complicated with more attack vectors across more attack surfaces, you'll see the same characteristics emerge. The enlightened will be fine (and guys like me will learn from them every day), most of the lucky will remain lucky until they are not, and the ostriches will keep their head in the sand until they can't.

It's the newly Compromised that are most at risk. It's going to be a lot harder to close all of the exposures once you have an issue. Virtualization is going to make stuff harder and the mix of operating systems having to be dealt with over the next 3-5 years isn't going to help either. So once the mandate comes down not to get nailed again, these folks are going to have to spend more and spend it smarter to even have a chance. And most won't even know where to start.

Of course, I'd like everyone to be enlightened. To implement layered security. To train their employees on security best practices. To treat infrastructure security differently than data security. To think before they spend. To have a plan (and practice) what to do in the event of a situation. To learn how to tell the story of security in business terms.

But I'm not naive. I know that human behavior will prevail, and that leaves plenty of opportunity for guys like me to prosper for a long time to come.