NB: We don’t have any connections with the computer security industry and we don’t own stocks in any computer or security companies.
Let’s play a game called ‘Let’s all be honest about computer security’. So – does anyone believe that computers are secure? Honestly? No, we didn’t think so.
We can think of our homes as an analogy. Still being honest, we want our homes to be secure enough to protect ourselves and our belongings from break-ins, or at least if there is a break-in, for the perpetrators to be identified and captured. We live in a newer house where the doors are very secure, although a determined person with a sledgehammer would find it easy enough to break in through a window. However we feel that this is reasonable security which would encourage a would-be burglar to find a softer target, unless, of course, they were motivated by the certain knowledge that we possessed something of considerable value. As we don’t, it is unlikely that anyone will try to gain unauthorised access to our home.
Returning to computers, and still being honest, we feel it is not too much to ask of large companies with ample resources to secure their computers to a reasonable degree. Sadly, however, based on recent experience, it seems that this is more than they can, or are prepared, to do. It would appear that for many companies computer security on a corporate level does not become really important until it affects their revenue – then it becomes a full-blown panic.
We are not without sympathy for these companies. We know someone who has turned off automatic updates for their (very well-known) operating system. They recently asked us to do some work on their machine and we found hundreds of updates waiting to be installed, of which roughly half were security related. Patches to operating systems can be a good thing, but patches on top of patches are getting ridiculous. Some operating systems have become so complicated that no one person knows them completely.
Now, being honest again, in order to prevent computer break-ins someone needs to know all the places where people might gain unauthorized access to the system. Recent events have given a strong indication that programmers and operating system makers don’t know all of these places in the software and systems they have created. Many weaknesses have only come to light because hackers have found these weak points. Whether we like it or not, computers and all they provide are deeply lodged into our society and our economy. They have to be made more secure.
Thinking of the security of our home again, we feel that if we wanted to make our house more secure we would need a person guarding it twenty-four hours a day. At that level of security only the most skilled and highly motivated burglar would even attempt a break-in. Do we need to change the way we think about computer security and do something similar for that? We propose that for real computer security we need people watching a program twenty-four hours a day that is looking for any unauthorized activity on computer servers, databases etc.
We already know that machines watching machines doesn’t work: one famously painful example was when the Democratic Party in the United States had a large amount of e-mails stolen. But would that have happened if there had been staff constantly monitoring access to their e-mail server? Or even better, if anyone wanting to read their e-mail had been required to be personally authenticated by a member of the monitoring staff? Yes, we know that would be a huge pain and would slow everything down, but it would also ensure they had some of the most secure e-mail in the world.
There are two basic economic facts which underlie this problem. Computers are relatively cheap for businesses because their capital costs depreciate over time. On the other hand, staff salaries are one of the biggest expenses a business will have. But, in all honesty, can companies really afford not to employ people to monitor their computer security?
We predict that those who apply people to this problem will come out ahead of those applying almost infinite security patches, but we will be happy to be proven wrong.