Saturday, 06 November, 2004
Having read Bruce's blog post I have to raise some objection.It's not often that Bruce is wrong but in this case I believe it to be so.
The key error of Bruce's judgement is that he fails to understand what this legisation would mean in a global contect. Let's suppose the USA passes this into a law. What's the chance of India passing the same law? I'd say nill. It's already cheaper to create software in India but suddenly you'd have made it cheaper to sell it from India too. You've essentially stuck a tarrif on American software and handed the fiscal advantage to your competitors abroad.
Bruce says it himself, Security is about managing risk. Let's not get dissy at the percieved risk and instead act calmly and stop proposing radical solutions.
I advocate the "Vote with your feet" stance on things. At this point I feel it's important to seperate the two problems we're trying to solve. We have Corporate security and Home computer security. While Corporate security is typically bad, Home computer security is much worse.
Home:
Home security is about making your computer more difficult to break in to than average. If you take some basic precautions you can achieve a level of sufficient security. It's much like securing your house. If you're the only person in the street to have a burglar alarm then it makes the chance of an attacker picking your house to burgle that much less. You get the security by doing the things the majority do badly or not at all. If you have the following then:
Then chance of your machine becoming road-kill on the Internet is greatly reduced because it's simply too much effort for a script kiddie/malware/viruses to break into your machine. After you've complied with this list any other security enhancements you perform quickly reach a point of diminishing return.
Other attacks, such as the frequent scams, are best addressed through teaching not technology.
Corporate Security:
Corporate Security is a lot harder to perform and is often done very poorly. The vulnerability landscape for a coporation is very complicated and the security budget is often small so you have to make your spending count.
The first approach should be to always increase security spending. I've long held the view that security spending has a bell shaped "effectiveness" curve. What every corporation should do is try and find the sweet spot on this curve and where this sweet spot is depends very much on the threat model.
What I mean by this is that suppose your security budget is £10,000 then doubling the budget wouldn't increase the effectiveness by two. It could triple or quadrupal the effectiveness of your spend.
Say it costs £15,000 to deploy smart card login in your corporation but your budget is £10,000. The effectiveness of implementing a smart-card solution is typically a lot more than what you can purchase for £10,000.
On the other end of the spectrum if you have a security budget of £100,000 then your going to reach a point of diminishing return where spending lots of money doesn't improve things very much.
Notice how I didn't mention software vulnerabilities once? In most security situations they are not a priority and wont be for some years. We've got so much to secure before we even start to worry about the underlying software. We've got to stop people giving at passwords for a bar of chocolate. There's a lot of education to be done before we get to the issue of software.
Software will always be insecure - that's life. My house has always been insecure. People can break in to my house and murder me in my sleep. It's possible and it happens but it doesn't worry me because it's unlikely.
The same is true in computing. I know that if I take the time to do some simple security set-up I can remove such a large chunk of risk that it tips the security trade-off in using the Internet in my favour.
Simon.