Stilgherrian is an Australian journalist covering internet policy, cybersecurity, digital surveillance, privacy.

Feb 5, 2013
Published on: CSO Online Australia
1 min read

Recent attacks on US newspapers are further proof that, despite making billions, the information security industry is pretty much screwed.

My American colleague Antone Gonsalves has written up some lessons learned from the Chinese attacks on the New York Times and The Wall Street Journal that were revealed last week, and argues that the media needs better security. I agree with most of it. But I'm Australian, so I'll add something much more blunt.

The information security industry is mostly screwed, and needs to admit it.

Alan Paller, founder and director of research at the SANS Institute, nailed it in their latest NewsBites newsletter.

"Three big takeaways from this story: (1) the attackers were in for a long time before they were discovered; (2) the anti-virus and other defenses were useless; (3) they didn't have people with technical security skills on staff to deal with it. These three facts are true of more than 1400 companies in the United States including most power companies, large law firms, other major newspapers and media companies, telecommunications, high tech, natural resources, manufacturers, and defense industrial base companies, just to name a few," Paller wrote.

Paller's third point isn't the industry's fault, it's just businesses being tightwads. But the first two are, and we've known about them for ages. Yet it seems as if the industry, or at least big sections of it, are still in denial.

Working backwards, it's the industry's dirty little almost-secret that traditional anti-virus defences just don't cut it any more.

Vendors race to assemble the biggest collection of Bad Things they can, so they can detect and protect you from them. They tackle the massively-increasing pace by waving the words "cloud" and "community" at the process. But what use is any of that when specific pieces of malware are used for just five minutes, or against just one target?

"[The New York Times] claims that a major factor in the success of the attackers was the fact the anti-virus software used by the New York Times did not detect 44 pieces of custom made malware used against the Times' network. If you are relying solely on anti-virus software to protect your systems, especially against custom made malware, then you will get breached," wrote Dublin-based security consultant Brian Honan in NewsBites.

 The New York Times also reported that the hackers had been in their systems for four months. That's not unusual, that's typical.

The Verizon Business Data Breach Investigation Report (DBIR) for 2009 showed that 49 percent of breaches weren't discovered until "months" after the initial compromise, and another 25 percent took "weeks". And it looks like things are getting worse. DBIR 2012 put those two figures at 54 percent and 29 percent respectively.

When you consider the number of breaches we see reported, let alone those that are kept secret, it seems to me that we're not looking at a few little glitches. Rather, our entire approach to information security is failing. Apart, that is, from the companies taking what will inevitably be called a "big data" approach this year: recording everything you can think of, look for patterns, and hope to find them.

Yet vendors are still making money hand over fist. How does that work?