Analysis: Software seems to be increasingly unable to protect us.
It was, by any measures, one of the biggest cybersecurity stories of the year. Bigger than an attack on auction site eBay, which forced 145 million users to change their passwords, and even bigger than the Heartbleed OpenSSL bug which sent internet giants Facebook, Yahoo and Google scurrying for cover.
What was stolen? Naked celebrity photos. Not a handful from one poor soul, but a trove featuring actresses Jennifer Lawrence, Mary Winstead, and Kirsten Dunst, who had unfortunately posted the photos to their Apple iCloud accounts in the belief that they would be safe.
As the scandal gathered pace Apple’s chief executive Tim Cook said hackers had broken in by answering security questions or phishing for victims’ details. Other experts argued that repeated password guesses had been used to force entry into the accounts, allegations seemingly confirmed as the company quietly updated its brute force protections.
The pattern is a familiar one.
Cybersecurity proponents tell us that our data can be protected while maintaining that we need more education and fewer "silver bullets". But in an arms race between the attackers and defenders the question raised is as follows: are we brushing up against the inherent insecurity of the internet, or are vendors tacitly admitting that security products are becoming less effective?
The engineer’s failure
Cook’s response to the hack in the Wall Street Journal could have been attributed to many of this year’s big breaches: "When I step back from this terrible scenario that happened and say what more could we have done, I think about the awareness piece." His assertion that the breach was "not really an engineering thing" has become a cliché in cybersecurity, even as cybersecurity reports itself being routed by hacker.
This is the year that saw the final demise of the notion of perimeter security, as experts threw up their hands and told us, in the word’s of Symantec’s SVP for information security, Brian Dye, that "antivirus is dead". A survey by the Enterprise Security Group found two-thirds of business security pros agreed anvirus was ineffective at blocking all types of advanced malware.
But "dead" did not mean removed from the shelves. Indeed, marketing for PC antivirus solution remains largely free of warnings that they will only catch 45% of attacks, as Dye indicated in further remarks. Whether or not this is "an engineering thing", it is easy to understand why there is some confusion over what security software can accomplish.
Martin Sugden, chief executive of security firm Bolden James, told CBR that a lax attitude has been common in end user companies. "Certain people, corporates and chief executives, have thought in the past that if they pay £20 for something that’s the problem solved," he said, a complaint echoed by many a chief information officer in despair of their board’s complacency.
Earlier this summer Eddie Schwartz, then of telecoms firm Verizon, put it even more starkly: "We’ve created what looks like the semblance of security and the bad guys pretty much drive around the perimeter and do whatever they want." The solutions he mooted were analysis, recovery and segmenting, all of which are now standard fare for the cybersecurity industry.
Education saves the day
Nobody should doubt that being able to analyse attackers, recover from a breach and isolate sensitive data are good things, even if they fail to stop all breaches. As Bob Tarzey, director at research firm Quocirca, pointed out: "Criminals and activists have always and will always find ways of outwitting the measures taken to mitigate their actions."
He added that being the victim of a hack does not make you negligent, and many zero day exploits "are often the fault of the software industry". But his comments should be placed alongside those of Websense’s Neil Thacker, who when asked which technology he would avoid as a security expert replied with a wry smile and two words: "The internet."
Whatever the state of cybersecurity, it is likely that education can only help the situation. Many surveys over the past few months have demonstrated that poor passwords are rife among consumers and businesses. People still fall for phishing emails on a regular basis, and will happily insert USB sticks they found in the car park into their machines to see who the owner is.
Even with that said, it is not clear at this point to what extent education is a legitimate pursuit, or merely a marketing ruse to cover for the failings of cybersecurity’s software.