Online security doesn't exist

@CNNMoneyTech August 5, 2011: 7:54 AM ET
cloud-security.ju.top.jpg

LAS VEGAS (CNNMoney) -- One of the big jokes at this year's Black Hat cybersecurity conference in Las Vegas is that there is no such thing as cybersecurity. No system can be 100% secure. There is no uncrackable code.

"Security, in effect, sucks," said Richard Thieme, a prolific writer and professional speaker on the impact of new technologies on society. "Security professionals feel overwhelmed because they can't do security."

Cybersecurity vendors and antivirus software firms advertise that they can keep companies, agencies and people safe. Yet antivirus programs can't stop every attack. And every day a new company or government organization announces that they've been compromised.

"Our whole industry is built on smoke and mirrors," said Thieme at Black Hat Thursday. "What we have is fundamentally broken. Cryptography is the opiate of the naive. So how can we use the word 'security' when we don't mean it?"

The root of the conundrum, Thieme argued, is not that everything is unsafe, but rather that people in the security profession are lying to themselves about what and how much they protect. They're bad at mitigating risk but very good at mitigating fear by pretending that everything is safe and secure, he said.

How cybercriminals hack you

They're also propagating that myth to the public by refusing to discuss their vulnerabilities out in the open.

For instance, Intel (INTC, Fortune 500)-owned McAfee this week released information about an attack that affected 72 organizations. The security firm wouldn't release the names of the victims, because none of them wished to be identified publicly.

That's a problem, Thieme said, because it reinforces a false narrative that the world is basically secure, and everything will eventually work itself out. Only when companies and agencies begin to speak truthfully about their limitations -- both internally and externally -- can they start to address the real-life challenges that face them.

"A company's objective is to get its security employees to embrace and protect its system," said Thieme. "But companies need to go deeper than that. They have to address the problems manifest in the system."

Part of the problem is that companies and agencies lack support from their top decision makers. CEOs, CFOs and even some chief security officers are so focused on the bottom line (let's get our product out to customers quickly) that they view security as more of a nuisance than a business-critical undertaking.

When security does get addressed, it's an afterthought. Unlike a bank, which builds the vault first and then the rest of the building around that structure to protect it, organizations typically build a product and then a fence around it afterwards. Without security at the core, hackers will find a way in.

Of course, attackers will find a way in one way or another even if you integrate security in a product from the outset. But giving cybersecurity the proper attention it deserves and acknowledging that nothing can be 100% protected can help keep more, if not most, of the bad guys at bay.

"Only hardcore security professionals think about the fact that you can never be totally secure," said Joshua Shaul, chief technology officer for Application Security. "The only thing you can do is build the fence higher and higher so that eventually it's not worth it to climb over." To top of page

CNNMoney Sponsors
Market indexes are shown in real time, except for the DJIA, which is delayed by two minutes. All times are ET. Disclaimer Morningstar: © 2014 Morningstar, Inc. All Rights Reserved. Disclaimer The Dow Jones IndexesSM are proprietary to and distributed by Dow Jones & Company, Inc. and have been licensed for use. All content of the Dow Jones IndexesSM © 2014 is proprietary to Dow Jones & Company, Inc. Chicago Mercantile Association. The market data is the property of Chicago Mercantile Exchange Inc. and its licensors. All rights reserved. FactSet Research Systems Inc. 2014. All rights reserved. Most stock quote data provided by BATS.