Ten for the “Tens”
My InfoSec Wishlist for the decade
Well, new website, new year, new decade. I figure I should look forward rather than backwards, so if the IT gods are listening, I have a wishlist for the InfoSec industry this decade:
1. IDS/IPS that actually works. Intrusion Detection/Prevention Systems have perpetually been a day late and a dollar short. At best, even when systems are monitored faithfully 24/7 by trained experts, you are reacting to an incident that has either already happened or is in progress. I’d like to see IDS systems that are much more predictive rather than reactive. Cisco’s IPS version 7.0 with a central Cisco-run repository that keeps track of all the bad actors so that you don’t have to is a step in the right direction. We need to centralize recording and analyzing of incidents and alerts like we’ve done with spam and viruses to companies that are better suited to handle this job. Then maybe we will have something resembling true “prevention.”
2. Ending the spam/anti-spam arms race. It seems like we beat back the spammers for a few months and then they come out with a new trick or algorithm and our mail boxes overflow again until the vendors catch up. The only real way out of this vicious circle is a true whitelist technology, probably also coordinated by a central resource. Unfortunately, the most likely vendor for this is Microsoft, not everyone’s favorite for controlling such an important resource. However, they’ve made some inroads in that direction and building into Windows would instantly cover a large portion of email users. Someone will need to find a system where it is easy to register your email as valid, hard to fool and gets a high subscription rate. Finally, we will be able to stop trying to guess which clever way the spammers will try to spell VIagRAA this week.
3. A happy medium for responsible disclosure of security holes. The current battle between companies and security researchers makes no one happy. If the researcher tries to work with the company, they are branded as not independent and catering to the vendor over the interests of users. If they release the information without waiting for the vendor to patch, then they are excoriated as irresponsible and helping the hackers. Both sides are guilty of not playing nice with each other. Perhaps what we need is a disinterested party to manage this. Maybe some rich retired techie will fund a foundation to process security disclosures, notify the companies and give a fair amount of time to fix the problems before public disclosure. Then we can stop playing who shot John and start shooting some bad guys.
4. Patching software becomes a thing of the past. I don’t mean that we just stop patching. I mean that the need to patch software goes away. When you think about the fact that broken software requires you go out and research, download, install and troubleshoot new software to fix the old software, you realize that it’s a system doomed to failure. In the future, I'd like to see software smart enough to phone home once in a while, check for any fixes and automatically fix itself without any user invention. This will require building software more modular and online aware and definitely tight security but it beats the alternative.
5. Single Sign On (SSO) becomes a reality. Who isn't tired of remembering dozens of ever lengthening passwords for all your systems? No one, but it’s currently the only way to keep up with the ever more powerful password crackers and brute force tools. It’s a similar conundrum to the spam issue, unless we finally figure out a sane way to do Single Sign On using strong, hardware-based crypto. We’ve figured out how to do it for physical IDs (e.g., state drivers licenses issued by the state). It is an entity well suited to verify our identity and with the resources to manage the process and prosecute fraud. We’ve even figured it out for web-based encryption (SSL certificates) and that uses private, distributed authorities to manage the credentials. If we could do it for personal use as well as business use, then we could all throw our well worn wallets away and never worry about getting mugged (at least not for our wallets).
6. Microsoft. Do Something. Insert your own wish for the software behemoth here. And die isn’t an option.
7. Credit card companies and merchants get serious about security. It would be nice if they would finally take the security of our identities as serious as we take it. Penalties need to be harsher, perhaps a public version of the stockade, where companies that abuse our trust and lose our identities are publicly humiliated (and banned from taking new applications for a year or something like that wouldn’t be bad either). And would it be too much to ask them to make the application process for credit harder to limit ID thieves from going into BestBuy with my ID, filling out an application that is shorter than the McDonalds job application and letting them walk out with a truck full of new electronics on my bill?
8. Companies get serious about IT security. It seems like unless the government or some regulatory body holds a gun to their head, most companies still treat IT security as a red headed step child. They often see it as something that doesn’t put money on the bottom line and is a zero sum game. The only industries that actually spend serious time and effort on IT security are the ones that are regulated by Uncle Sam (or Uncle State or Uncle Local). Let's hope IT security seriousness spreads beyond finance, healthcare and government.
9. Speaking of government, maybe our government will finally get its head out of a well known place and figure out that IT security is as integral to national security as A-bombs, tanks and full body scanners. Come to think of it, all those things depend heavily on IT security including the design plans, operational systems and physical security systems. Read “Daemon” by Daniel Suarez for a doomsday vision of what could happen if we don’t.
10. A Black Ops commando team who will just kill all online fraudsters and save us all the trouble. Ok, maybe I’m taking my flight of fancy too far. But, maybe the hackers, crackers and online criminals would just agree to not get smarter, not get bigger and more well financed and not get more vicious and determined to rob us all blind. I guess that’s wishful thinking too.