Tuesday, May 29, 2007

Attacker 3.0

Gunnar Peterson mentioned a few terms that, for me, brilliantly describe the problem we face in digital security. To paraphrase Gunnar, the digital world consists of the following:

  • Security 1.0

  • Web 2.0

  • Attacker 3.0

To that might I add the following:

  • Government -1.0

  • User 0.5

  • Application Developer 2.5

What do I mean by all of this?

  • Government -1.0: in general, hopelessly clueless legislation leads to worse security than without such legislation -- often due to unintended consequences

  • User 0.5: users are largely unaware and essentially helpless, but I wouldn't expect them to improve -- I'm not an automobile designer or electrical engineer, yet I can drive my car and watch TV

  • Security 1.0: security tools and techniques are just about good enough to address yesterday's attacks

  • Web 2.0: this is what is here, with more on the way -- essentially indefensible applications all running over port 80 TCP (or at least HTTP) that no developer really understands and for which no one takes responsibility

  • Application Developer 2.5: by this I do not mean developers are ahead of anyone with respect to security; rather, they are introducing new features and capabilities without regard to security, thereby exposing vulnerabilities no one (except intruders and some security researchers) really understand

  • Attacker 3.0: in Tao I said because some intruders are smarter than us and unpredictable, prevention eventually fails -- it's more true now than ever

The only way I know to deal with this problem is to stay aware of it through monitoring and to deter, prosecute, and incarcerate threats. Without Attacker 3.0 free to exploit at will without fear of attribution and retribution, I care less about these problems.

1 comment:

Alex said...

"intruders are smarter than us and unpredictable, prevention eventually fails -- it's more true now than ever"

So if intruders are smarter than us (and I agree) then why are we allowing people far removed from our distinct and unique situation to enforce their risk tolerance on us via compliance to external standards like PCI?

In the case of MN and TX, do we really believe that law makers are able to pass legislation concerning our controls and risk management programs with any semblance of the speed with which the threat community adapts and evolves?