Reasons Why We Keep Making Security Flaws
Security becomes a bigger problem every day, as more code is written and more infrastructure is designed.
Why does it feel like we are not improving ? Why do we keep getting shocking news every now and then ?
Even though there are many documents, best practices, preventive measures, whether simple or complex, cheap or expensive, why does it feel like we are not able to improve ?
There are multiple reasons for the situtation we are living through. I will list my reasons in this post.
Attack Surface For Our Identity Always Increases
First and foremost, everything that can be available digitally, will become available digitally and this is totally ok by itself. However by doing this, we increase the attack surface.
Every copy of identity you create online, every device or software that has access to your privacy, is another risk taken. More digital identities you have, higher chance that one or more of them will be eventually compromised. We are in a painful transition period, while trying to understand how should we use our newly developed powers.
Security Is Not Just Passwords
From the user perspective, security usually only means finding a hard password (which most people don’t do), not clicking and executing everything and if they are really one of a kind, enabling multi factor authentication.
From the vendor perspective, security is a huge battlefield to cover. It includes not just coding of the product itself, but also many aspects like detecting and mitigating potential threats, reacting to discovered bugs, protecting software assets from tampering, protecting physical access, collecting audit traces for all activities, working with pentesters and independent auditors to find weaknesses, auditing your own partners and subcontractors to make sure that they operate on a certain level of security. The list goes on.
Total Security is Difficult
It now seems obvious, right ? The area that needs to be covered is huge and even the best engineers make mistakes that result in security problems. Cryptography algorithms created by scientists who dedicate their lives on this area are found to be weak after years of industrial usage. We only hear about the tip of the iceberg, ones that make people flock to the news sites.
For the most famous ones, here is the timeline of hacking events.
Let’s check just a few from recent years:
- In 2011, 77 million accounts of Sony PlayStation Network was compromised
- In 2012, 6.5 million LinkedIn accounts were stolen
- Yahoo! admitted 3 billion accounts were impacted in multiple occasions
- In 2014, Apple iCloud services breached, causing the infamous the fappening
- In 2014, -then largest bitcoin exchange- Mt.Gox filed bankruptcy after bitcoins were stolen
- In 2015, U.S Office of Personnel Management is breached to get 21.5 million records
- In 2016, Dyn was attacked by tens of millions of Mirai infected devices
- In 2017, data of 145.5 million Equifax customers were stolen
What about few bugs ?
- Goto fail from Apple which severely undermined the transport security for years
- Stagefright from Google which let an attacker to run arbitrary code masked in MMS
- Blueborne allowed an attacker to gain control of Linux, Android, iOS and perform MITM for Windows
- Heartbleed of OpenSSL which allowed remote user to retrive confidential data or even private keys.
- Meltdown and Spectre, probably by far the worst security bug we had in history.
Check here for the vulnerabilities per year from CVE statistics.
This is a filter on CVE database for the vulnerabilities that:
- Occured since January 2017
- One of XSS,overflow exploit, CSRF, execute arbitray code, priviledge gain
- Can be executed remotely (so, no local account needed)
- Requires no specialized access
- Requires no authentication
- Results in partial or complete information disclosure
- Results in partial or complete compromise of system integrity
Not a small list.
And how about users becoming victims of phishing, malwares, targeted attacks, ransomwares etc ?
I hear you murmuring about hiring the best engineers, forming best teams, code reviews, pair programming, formal verification, testing methodologies, static code analyzers, leak detectors, debuggers, compilers that detect errors better than some others, story writing and requirement gathering techniques, educating users, providing better UIs.
It turns out that, even advanced organizations may make mistakes that cause security problems. Security issues may arise from any organization.
High Demand For Technology Solutions
We are simply unable to cope with the demand. There are endless amount of business cases waiting to be done because there is not enough resource to make them. Anyone who can design hardware, infrastructure, write code, will do it. It is not realistic to expect all organizations to have the best employees and vast resources. Considering the incidents happened at the hands of even the best teams, most solutions are safe for the moment simply because they are not targeted yet.
Total Security is Expensive
The security area that I mentioned above, is simply expensive to cover. It requires not just highly skilled experts in many different areas but it also requires equipments, time and certain culture in organization.
Most organizations are not able to pay the cost of this. Low hanging fruits are targeted and fingers crossed for the parts that are not covered.
Security is Expected by Default
Whether it is B2B or B2C, there is no customer that agrees giving data to an organization that openly accepts it does not put best effort to protect them. Everybody rightfully expects highest possible security.
When highest security is expected by all customers, you can not mention it as an item that will increase the price of your solution. You are expected to do it anyway.
What is the result of this ?
Organizations Tend Skip Effort on Security to Focus on Profits
A business can thrive only if it stays on the profitable side. Harsh competition today pushes companies to focus on immediate gains. After all, salaries and expenses have to paid and investors (if there is any) want to see returns. Therefore, many choose to allocate limited engineering resources and budget for developing things that will bring money.
What About Existing Data Protection Regulations ?
We always consider Microsoft, Google, Facebook, Amazon, Apple and similar famous faces when the best security is talked about. However, they are not the only ones. Managing critical data neither started with them, nor they are the only ones who do it.
Companies operating in regulated industries such as telecommunications, military, finance, health, automotive, aerospace etc are obliged to conform various rules and specs in order to be able to do their business. Regulations and specs draw the red lines that may not be crossed no matter what.
Generally, whenever public safety is a serious concern, we always have rules to follow. They basically imply: if you are not going to be able to provide this level of quality, you can not do this business
This is better than nothing.
Let me introduce you Dr. Ignaz Semmelweis. In 1847, he pioneered the practice of washing hands in hospitals and resulted dramatic decrease in deaths of mothers due to childbed fever. He was criticised and involved in long debates. But his simple measure turned out to be immensely positive on patient health once it is made mandatory to follow.
You can not run a restaurant without conforming certain safety rules. You can not produce a car without certain safety guarantees. Should you be allowed to process such data if you can’t prove you implement a certain level of protection ?
Within the regulated business cases, companies have to pass through certain audits and get certifications by proving their compliance to standards. In reality, it is relatively relaxed in our industry. There are millions of devices in the world that can be managed only via clear text telnet.
Many developed countries have some sort of data protection rules that companies must follow. Here is a page from EU: How do I make sure I comply with personal data protection rules?
How many of the companies really follow those ? I wish we know.
Is this a final solution ? No. Because even if you follow everything, you can still make a mistake (Yes, it is your mistake when you are breached due to a third party library bug)
At least, regulations can force organizations to consider certain things before processing critical data.
We are living in an era where we are unable to deal with the security requirements of our solutions due to high business demands and shortage of certain important resources to close the gaps.
What we face in these years is, vast breaches of public safety. The threat will increase as we create more solutions, because the digitized world will become more lucrative for criminals.
Bruce Schneier said Stop Trying to Fix the User in 2016.
He is totally right. This is not a user problem. We must stop blaming the victims. In the end, it is always our job to make things secure.
Edit 1: I did not intend to keep adding examples but Meltdown and Spectre are so huge that I could not stop