Too much faith in vulnerable technology?

Someone recently posed the following question: Given the constant stream of news regarding attacks against government, banking, and other computer systems, and the depency on Internet connectivity, are we putting too much faith in vulnerable technology?

There’s nothing new about trying to hack into electronic systems. Way back in 1972, John T Draper was the first hacker to be convicted of wire fraud. Read his biography here. In the late 70’s we had the first online bulletin boards where passwords and credit card numbers could be traded, and in 1983 we had the movie “War Games” where the young hacker used his modem and PC to play “Global Thermonuclear War” with the government computer. The point I’m heading towards is that any time we’ve connected electronic systems up to be accessed externally, there have always been individuals willing to try to exploit them.

And systems are not becoming any more secure. We could argue that they are because we’re devoting more time, effort and resource to making them so. But there are around 50 million lines of code in Windows Vista alone. Add to that all the other systems and their code that we expose to the Internet and the sheer implausibility of thinking that there aren’t any security vulnerabilities to be exploited for fun and profit becomes obvious.

Many of us protect data using encryption and then make the mistake of assuming that this makes it secure even if the host system itself is compromised. However, at the same time we are likely to forget about copies of that data in our email, or sitting on a server belonging to a customer or partner, or on a print-out sitting in a bin waiting for the refuge collection.

Then, some-one makes the bold statement “no-one is going to be interested in hacking our systems – it’s never happened before.” There are CISO’s from TJ Maxx to PetsMart who will tell you that this is simply not true. Connect any vulnerable system to the outside world and within a very short space of time it will be compromised – less than 20 minutes for a Windows PC by some estimates. You might not fully appreciate the value of the data that you are storing but consider this: if you consider it worthy of protecting with a password then it must have some value to somebody (One of my principles of data security is that all data has a value).

So, back to the original question, are we putting too much faith in vulnerable technology? Simple answer: Yes! Of course we are. In my opinion, we always will because that’s our nature. We want to push the boundaries and are only limited in what we can do by our imagination and the techology that’s available. If I want to send to you some confidential information then I’ll take a calculated risk that the method I use wont result in that information being compromised. Most individuals wont even go that far: they wont realise they are even taking a risk. There are no guarantees that the data wont be compromised on the way – because no matter how good I consider the technology to be and how well I evaluate the risk, if somebody else has an interest in my data, they probably already have a head start in knowing how to compromise it. It’s the electronic equivalent of being mugged by a hooded attacker – except we probably wont notice the loss and the pain until much later.

A simple fact is that most individuals don’t understand the technology they are using. We, my technology savvy friends, are a minority and most mere mortals consider what we do as a black art. It’s not helped by the fact that doing something that should be simple such as putting a password on a Microsoft Word document seems to have increased in compexity rather than gotten any easier over the years (hands-up all of you who know how, in Office 2007, to do this without looking and without having to randomly select options to find the right function – then how many Office 2007 users will know the difference between the various encryption types that are offered?).

So, our systems are vulnerable. Accept it, and manage the risk through education and process based risk management. Use defence-in-depth and keep systems patched. Test your code, track changes, keep control over accounts, and the list goes on. Never ever assume that your systems are not a target, and don’t think for a minute that they haven’t already been compromised.