TSC Trusted Advisors’ Blog

Why are people surprised about ongoing security breaches?

I’ve been reading a lot of press recently about breaches and vulnerabilities. Nothing particularly new there - it happens all the time. But for some reason I am beginning to get annoyed at the now customary tone of surprise and fear. Surprise, I suppose, that the technology that we so heavily rely upon could fail us in this way, leading to fear, presumably, that any ‘new technology initiative’ is doomed to failure because computers are inherently insecure.

This annoys me mostly because the correct response is not surprise and fear. It should be anger.

There is nothing inherently insecure about a piece of technology like a PC or a server. It only becomes dangerous when it is built into an ill-conceived solution. It’s not the technology’s fault, it’s the way we use it.

So if all we need to do is use this stuff properly, why do these data disasters happen? It’s because the people in charge don’t care enough!!!

If there were a spate of bridges falling down across the country, people wouldn’t be wringing their hands an anguish wishing that the world was a better place and lamenting how hard it is to build bridges and how unsafe they are. There would be a massive effort to ensure that bridges are built properly. People who build bridges without involving a structural engineer would go to jail. But instead with IT, it seems we just throw a bunch of software developers and systems engineers at a problem and hope that some of them know something about security (and when they don’t, there’s always Wikipedia. Right?).

There was a breach earlier this week at webhostingtalk.com where the attackers found a flaw at their backup site and used that to gain access to their main site and steal all the user data. A cunning attack, sure. But nothing that couldn’t be prevented by a suitable security design and testing regime supported by robust and sufficient policy and audit. But what irks me the most about this event was the comment on their forum from one of their members: “Welcome to the Internet. There’s really no reason to make a huge issue out of this. Simply change your password(s) and move on.” This is a community of people who are responsible for running the very sites that we worry about–and here is a webmaster publicly stating that he doesn’t really care, total system compromise and data loss is not a big deal.

What we need is more outrage at these events. From users, management, owners and investors, and from regulators of all descriptions. I am fed up with hearing “We can’t afford to invest in security right now, we are barely funded for development work.” or “We could add more security but we would lose users because it would be inconvenient.”

Building a bridge that may fall down is never accepted as an option, so should it be for the security of IT products and applications.

Next time you read about a breach, please don’t be sad…BE ANGRY.