Richard Clarke’s Six Lessons on network security
(with commentary by Bruce Schneier). From Bruce’s latest newsletter…
1. “We have enemies.” Everyone does. Companies have competitors. People have others who don’t like them. Some enemies target us by name, others simply want to rob someone and don’t care whom. Too many organizations justify their inattention to security by saying: “Who would want to attack us?” That just doesn’t make sense.
2. “Don’t underestimate them.” Don’t. Whether it is a DVD pirate living in a country with no copyright laws, or a hacker kid who spends days trying to break into a network, cyberspace attackers have proven to be better funded, smarter, and more tenacious than anyone has estimated. If you assume that your enemies won’t be able to figure out your defenses and bypass them, you’re not paying attention.
3. “They will use our technology against us.” This is especially true in cyberspace. Almost all attacks involve using the very network being attacked. Maybe it’s a vulnerability in the software; maybe it’s a feature that should never have been created. Hacking is judo: using network software to do things it was never intended to do.
4. “They will attack the seams of our technology.” As bad as most cryptography is out there, it’s almost always easier to break a system by some other method. Attacks on the seams — the places where different technologies come together — are more fruitful. Think of the FBI reading PGP-encrypted mail by installing a keyboard sniffer, or people who bypass copy-protection controls by mimicking them rather than breaking them. This lesson is obvious to anyone who has broken security software.
5. “Our technology is surprisingly interdependent.” That’s certainly clear. We’ve seen vulnerabilities in IIS affect all sorts of systems. We’ve seen malicious code use features of Microsoft Word and Outlook to spread. A single SNMP vulnerability affects hundreds of products. Interdependence is how the Internet works. It’s also how it fails.
6. “The only way to solve this problem is for government and industry to work together.” This is more subjective, but I agree with it. I don’t think that industry can do it alone, mostly because they have no incentive to do it. I don’t think that government can do it alone, because they don’t have the capability. Clarke seems to think that it’s government’s job to provide some funding, high-level coordination, and general cheerleading. I think it’s government’s job to provide a financial incentive to business. If you want to fix network security, hack the business model. Remove the liability exemptions from software. Demand regular reporting similar to what was required for Y2K. Make the CEO care.