The security industry is adding layers of defensive technologies to protect systems rather than addressing the most substantial, underlying problems that sustain a sprawling cybercrime syndicate, according to an industry luminary who painted a bleak picture of the future of information security at a conference of hundreds of incident responders in Boston Tuesday.
Eugene Spafford, a noted computer security expert and professor of computer science at Purdue University, said software makers continue to churn out products riddled with vulnerabilities, creating an incessant patching cycle for IT administrators that siphons resources from more critical areas. The problem has grown so bad that today businesses are rushing to invest in many of the latest security technologies designed to detect infections without any ability to efficiently address them, Spafford said.
“Instead of building secure systems, we are getting further and further away from solid construction by putting layer upon layer on top of these systems,” Spafford said. “The idea is for vendors to push things out rather than get things right the first time.”
Poorly coded software combined with growing network complexity has increased the attack surface at many organizations and it is taking its toll financially, said Spafford, who gave the morning keynote at the FIRST Conference, an annual gathering of incident responders and computer emergency readiness teams from around the world. Cybercrime costs the global economy as much as $500 billion annually, Spafford said, citing an estimate from a recent report that predicts the losses associated with cybercrime to continue to grow.
Spafford, executive director of Purdue's Center for Education and Research in Information Assurance and Security (CERIAS), serves as a frequent adviser on information security issues. He gained prominence for his role in analyzing the Morris worm, one of the earliest threats to the Internet. There currently are 220 million known malware families or instances of known malware and it is increasing by 52 million a month, Spafford said. Despite security technology advances, threat detection hasn’t improved much. Malware remains on systems for months and often isn’t uncovered until after criminals pilfer systems containing intellectual property and other sensitive data, he said.
Meanwhile, security vendors produce inadequate security platforms designed to protect software riddled with holes, Spafford said. Firewalls were put in place to protect groups of vulnerable systems and when attackers got through, the security industry pitched antivirus and hosted intrusion prevention as an effective response. When that proved woefully ineffective, encryption became essential to protect the most critical data. But when criminals still found a way to view the data using stolen keys, the response was to add activity monitoring and deep packet inspection. Today the latest technologies assume the system has been compromised and businesses must cope with figuring out which threat on the network poses the greatest danger, Spafford said.
“We have effectively given up on secure systems when we have interest and funding in those kinds of products,” Spafford said. “We’re using all these tools on a regular basis because the underlying software isn’t trustworthy.”
Law enforcement is also inadequately equipped and stymied by criminal gangs in countries where bribery earns them protection from the government, he said. There have been a number of high-profile arrests over the past year, including the suspected author of the notorious Blackhole Exploit Kit, a crackdown against those behind Blackshades malware and most recently a crackdown on the creator of the Gameover/Zeus botnet and the individual suspected of developing the Cryptolocker ransomware. But for every win a new crimeware writer emerges and the organized crime network quickly recovers, Spafford said.
Without an investment in computer programming education and a major move by software manufacturers to embed software security concepts early into the development process, the problems will continue to get worse, Spafford said.
"The general public does not have a sense of the problems here, and there aren't very many response teams to handle all of this," he said. "We have no consequences for sloppy design and we don't hold organizations accountable for bad things."
PUBLISHED JUNE 24, 2014