Table of Contents Chapter 1: The Business and Economics of Security Consolidation: Plague or Progress Prediction: RSA Conference Will Shrink Like a Punctured Balloon How to Sell Security Why Do We Accept Signatures by Fax? The Pros and Cons of LifeLock The Problem Is Information Insecurity Security ROI: Fact or Fiction? Social Networking Risks Do You Know Where Your Data Are? Be Careful When You Come to Put Your Trust in the Clouds Is Perfect Access Control Possible? News Media Strategies for Survival for Journalists Security and Function Creep Weighing the Risk of Hiring Hackers Should Enterprises Give In to IT Consumerization at the Expense of Security? The Vulnerabilities Market and the Future of Security So You Want to Be a Security Expert When It Comes to Security, We're Back to Feudalism You Have No Control Over Security on the Feudal Internet Chapter 2: Crime, Terrorism, Spying, and War America's Dilemma: Close Security Holes, or Exploit Them Ourselves Are Photographers Really a Threat? CCTV Doesn't Keep Us Safe, Yet the Cameras Are Everywhere Chinese Cyberattacks: Myth or Menace? How a Classic Man-in-the-Middle Attack Saved Colombian Hostages How to Create the Perfect Fake Identity A Fetishistic Approach to Security Is a Perverse Way to Keep Us Safe The Seven Habits of Highly Ineffective Terrorists Why Society Should Pay the True Costs of Security Why Technology Won't Prevent Identity Theft Terrorists May Use Google Earth, but Fear Is No Reason to Ban It Thwarting an Internal Hacker Market An Enterprising Criminal Has Spotted a Gap in the Market We Shouldn't Poison Our Minds with Fear of Bioterrorism Raising the Cost of Paperwork Errors Will Improve Accuracy So-Called Cyberattack Was Overblown Why Framing Your Enemies Is Now Virtually Child's Play Beyond Security Theater Cold War Encryption Is Unrealistic in Today's Trenches Profiling Makes Us Less Safe Fixing Intelligence Failures Spy Cameras Won't Make Us Safer Scanners, Sensors Are Wrong Way to Secure the Subway Preventing Terrorist Attacks in Crowded Areas Where Are All the Terrorist Attacks? Worst-Case Thinking Makes Us Nuts, Not Safe Threat of “Cyberwar” Has Been Hugely Hyped Cyberwar and the Future of Cyber Conflict Why Terror Alert Codes Never Made Sense Debate Club: An International Cyberwar Treaty Is the Only Way to Stem the Threat Overreaction and Overly Specific Reactions to Rare Risks Militarizing Cyberspace Will Do More Harm Than Good Rhetoric of Cyber War Breeds Fear—and More Cyber War The Boston Marathon Bombing: Keep Calm and Carry On Why FBI and CIA Didn't Connect the Dots The FBI's New Wiretapping Plan Is Great News for Criminals US Offensive Cyberwar Policy Chapter 3: Human Aspects of Security Secret Questions Blow a Hole in Security When You Lose a Piece of Kit, the Real Loss Is the Data It Contains The Kindness of Strangers Blaming the User Is Easy—But It's Better to Bypass Them Altogether The Value of Self-Enforcing Protocols Reputation Is Everything in IT Security When to Change Passwords The Big Idea: Bruce Schneier High-Tech Cheats in a World of Trust Detecting Cheaters Lance Armstrong and the Prisoner's Dilemma of Doping in Professional Sports Trust and Society How Secure Is the Papal Election? The Court of Public Opinion On Security Awareness Training Our New Regimes of Trust Chapter 4: Privacy and Surveillance The Myth of the “Transparent Society” Our Data, Ourselves The Future of Ephemeral Conversation How to Prevent Digital Snooping Architecture of Privacy Privacy in the Age of Persistence Should We Have an Expectation of Online Privacy? Offhand but On Record Google's and Facebook's Privacy Illusion The Internet: Anonymous Forever A Taxonomy of Social Networking Data The Diffi culty of Surveillance Crowdsourcing The Internet Is a Surveillance State Surveillance and the Internet of Things Government Secrets and the Need for Whistleblowers Before Prosecuting, Investigate the Government Chapter 5: Psychology of Security The Security Mindset The Difference between Feeling and Reality in Security How the Human Brain Buys Security Does Risk Management Make Sense? How the Great Conficker Panic Hacked into Human Credulity How Science Fiction Writers Can Help, or Hurt, Homeland Security Privacy Salience and Social Networking Sites Security, Group Size, and the Human Brain People Understand Risks—But Do Security Staff Understand People? Nature's Fears Extend to Online Behavior Chapter 6: Security and Technology The Ethics of Vulnerability Research I've Seen the Future, and It Has a Kill Switch Software Makers Should Take Responsibility Lesson from the DNS Bug: Patching Isn't Enough Why Being Open about Security Makes Us All Safer in the Long Run Boston Court's Meddling with “Full Disclosure” Is Unwelcome Quantum Cryptography: As Awesome as It Is Pointless Passwords Are Not Broken, but How We Choose Them Sure Is America's Next Top Hash Function Begins Tigers Use Scent, Birds Use Calls—Biometrics Are Just Animal Instinct The Secret Question Is: Why Do IT Systems Use Insecure Passwords? The Pros and Cons of Password Masking Technology Shouldn't Give Big Brother a Head Start Lockpicking and the Internet The Battle Is On against Facebook and Co. to Regain Control of Our Files The Difficulty of Un-Authentication Is Antivirus Dead? Virus and Protocol Scares Happen Every Day—but Don't Let Them Worry You The Failure of Cryptography to Secure Modern Networks The Story behind the Stuxnet Virus The Dangers of a Software Monoculture How Changing Technology Affects Security The Importance of Security Engineering Technologies of Surveillance When Technology Overtakes Security Chapter 7: Travel and Security Crossing Borders with Laptops and PDAs The TSA's Useless Photo ID Rules The Two Classes of Airport Contraband Fixing Airport Security Laptop Security while Crossing Borders Breaching the Secure Area in Airports Stop the Panic on Air Security A Waste of Money and Time Why the TSA Can't Back Down The Trouble with Airport Profiling Chapter 8: Security, Policy, Liberty, and Law Memo to Next President: How to Get Cybersecurity Right CRB Checking State Data Breach Notifi cation Laws: Have They Helped? How to Ensure Police Database Accuracy How Perverse Incentives Drive Bad Security Decisions It's Time to Drop the “Expectation of Privacy” Test Who Should Be in Charge of Cybersecurity? Coordinate, but Distribute Responsibility “Zero Tolerance” Really Means Zero Discretion US Enables Chinese Hacking of Google Should the Government Stop Outsourcing Code Development? Punishing Security Breaches Three Reasons to Kill the Internet Kill Switch Idea Web Snooping Is a Dangerous Move The Plan to Quarantine Infected Computers Close the Washington Monument Whitelisting and Blacklisting Securing Medical Research: a Cybersecurity Point of View Fear Pays the Bills, but Accounts Must Be Settled Power and the Internet Danger Lurks in Growing New Internet Nationalism IT for Oppression The Public/Private Surveillance Partnership Transparency and Accountability Don't Hurt Security—They're Crucial to It It's Smart Politics to Exaggerate Terrorist Threats References Introduction Chapter 1 The Business and Economics of Security Consolidation: Plague or Progress Originally published in Information Security, March 2008 This essay appeared as the second half of a point/counterpoint with Marcus Ranum. We know what we don't like about buying consolidated product suites: one great product and a bunch of mediocre ones. And we know what we don't like about buying best-of-breed: multiple vendors, multiple interfaces, and multiple products that don't work well together. The security industry has gone back and forth between the two, as a new generation of IT security professionals rediscovers the downsides of each solution. The real problem is that neither solution really works, and we continually fool ourselves into believing whatever we don't have is better than what we have at the time. And the real solution is to buy results, not products. Honestly, no one wants to buy IT security. People want to buy whatever they want—connectivity, a Web presence, email, networked applications, whatever— and they want it to be secure. That they're forced to spend money on IT security is an artifact of the youth of the computer industry. And sooner or later the need to buy security will disappear. It will disappear because IT vendors are starting to realize they have to provide security as part of whatever they're selling. It will disappear because organizations are starting to buy services instead of products, and demanding security as part of those services. It will disappear because the security industry will disappear as a consumer category, and will instead market to the IT industry. The critical driver here is outsourcing. Outsourcing is the ultimate consolidator, because the customer no longer cares about the details. If I buy my network services from a large IT infrastructure company, I don't care if it secures things by installing the hot new intrusion prevention systems, by configuring the routers and servers as to obviate the need for network-based security, or if it uses magic security dust given to it by elven kings. I just want a contract that specifies a level and quality of service, and my vendor can figure it out. IT is infrastructure. Infrastructure is always outsourced. And the details of how the infrastructure works are left to the companies that provide it. This is the future of IT, and when that happens we're going to start to see a type of consolidation we haven't seen before. Instead of large security companies gobbling up small security companies, both large and small security companies will be gobbled up by non-security companies. It's already starting to happen. In 2006, IBM bought ISS. The same year BT bought my company, Counterpane, and last year it bought INS. These aren't large security companies buying small security companies; these are non-security companies buying large and small security companies. If I were Symantec and McAfee, I would be preparing myself for a buyer. This is good consolidation. Instead of having to choose between a single product suite that isn't very good or a best-of-breed set of products that don't work well together, we can ignore the issue completely. We can just find an infrastructure provider that will figure it out and make it work—who cares how?
Description: