'Treat infosec fails like plane crashes' – but hopefully with less death and twisted metal The world has never been so dependent on computers, networks and software so ensuring the security and availability of those systems is critical. Despite this, major security events resulting in loss of data, services, or financial loss are becoming increasingly commonplace. Brian Honan, founder and head of Ireland's first …
I'm guessing people are more motivated in fixing plane accidents since these usually result in hundreds of people dying in spectacular fashion... Once an internet connected oven burns a house down with family included I'm sure we'll start seeing some results. Until then we'll just shrug our shoulders and go back to watching Netflix.
Unfortunately, economics plays into dealing with certain types of problems, including lethal ones(e.g. Ford Pinto).
It boils down to: is it cheaper to roll out a change to the fleet, or just accept the occasional hull loss and bad PR? Presently, the latter seems to be the choice of many (I believe that's the issue we're trying to rectify).
The question is then: how do we disincentivize all the coverups and hush-hush? I get the feeling that the consumer is going to be left holding the bag, one way or another, even if the culprits are penalized.
Anonymous Coward: “Unfortunately, economics plays into dealing with certain types of problems, including lethal ones(e.g. Ford Pinto)."
Until the providers of the software are held to account, they have no incentive to making it relatively secure.
'The software is licensed "as-is." You bear the risk of using it'
'To the extent not prohibited by law, Oracle hereby disclaims all express or implied representations, warranties, guarantees, and conditions of any kind, arising by law or otherwise, with regard to the program'
'There is no warranty for the program, to the extent permitted by applicable law'
That depends on where you live. In Trumpistan/Turnipistan(?, as he's that smart), any contract like that is, or will be, solidly enforced in favour of the Corp. that wrote it...and the cheque to the political party.
The rest of us have to try and keep our countries from becoming as Oligarchic/Fascist as that. Not an easy task when the left has moved so far to the right. In NA, the left is now more right-wing than the right was in the 1970s.
> "To the extent not prohibited by law". i.e those words are a waste of space as they have no legal standing at all but are just intended to persuade someone not to attempt to exercise their rights.
Disclaimer: IANAL
Whilst that may be a convenient side effect, I believe that this phrase is legally significant in its own right.
Where that clause or equivalent is missing and the wording of the disclaimer is illegal (ie. Denies protected rights, very common with warranty and fitness for purpose disclaimers), the whole clause can be struck out by a court if challenged. That can leave the company horribly exposed. This clause gives them an out in many cases because their defense is that because they explicitly exclude your lawful protections from the restriction* they cannot be accused of trying to usurp them.
*Which Jo Average often does not realise even exist.
Pro tip: when trying to claim under warrant and the retailer and/or manufacturer are not playing ball and a reasonable impartial person** would agree that you have a case, using the right key phrases as expressed in your consumer protection laws goes a long way to getting your issue resolved.
** That requires some humble pie and not your BFF on twitface.
Not that I consider Oracle exemplary, but a significant reason why software doesn't have warranties is because there is an enormous amount of user (lack of) skill that can be involved.
Should a software maker be liable when users reuse the same login as email ID and password on dozens of different sites?
What about patch management - at what point does the failure to install a patch (as opposed to not installing before testing) become the user's fault?
I was extremely proud of my organization after a well publicized incident there was a major review and audit using multiple internal and external sources. Causes were identified and plans were put in place to not make the same mistakes again. The problem is exactly as you describe, security is expensive. We are many times better secured and better prepared because of the work already done but still too far from perfect because of the big 3 - politics, religion and money.
There have already been fatal failures of computers and digital devices. Every day people lose work because an application crashes and and affected negatively by software bugs. Society reacts with the urgency it responds to spellling errors in newspapers. Only the millennium problem prompted society to address the problem.
Once an internet connected oven burns a house down with family included I'm sure we'll start seeing some results.
Don't bet on it. I would keep that Internet connected oven in a shed at the bottom of the garden, with an internet connected webcam to watch it if I were you. Then go and live Somewhere else, and watch something else on Netflix.
"victim blaming – commonplace in infosec – isn't helpful"
When the hack occurred because the victim wilfully ignored standard procedures, allowed known holes to exist in their infrastructure and acts like Experian, Uber or Talk Talk then they deserve to be shamed and there are no lessons to learn.
The victim ignored standard procedures.
In the aviation world, this would be followed by "Why didn't they follow procedures?", "what would have happened if they had followed the procedures? " are the standard procedures right?" and "how do we get them to follow standard procedures?"
And in the InfoSec world, it's just point and laugh? Not the way to progress.
See my Space X example below on how increased reliability is not necessarily increased cost (In SpaceX case they recoup cost through re-use and standardised fabrication or multipurpose parts). Though I admit I have not seen the numbers/costs when it comes to IT, I have experience with "small business" vs "large national" with ISPs as a consumer. The small business runs 99.5% of the time due to good management, and the big one around 75% due to greed, while both use the same hardware!
Excellent. I'd like to add that in the aircraft world, there's structure with costs involved and time to find and fix. IT doesn't have a central authority to do this and if they did it would be a huge effort to track and fix all The other big difference is that with aircraft, the finding and solutions are pretty much mandatory. IT... not at all since "profit"....
There's this comment in the article: "In addition, cybercrime ought to be reported to the police." Seriously, what good does that do without a central, world-wide organization/authority? Local cops blow it off. National cops are swamped with other crimes. There isn't anyway to bring a miscreant in say, Russia, to any other country for trial.
Yes.
It's called "Root cause" analysis.
The closest equivalent would be the original "Capability Maturation Model" developed by Carnegie Mellon after studying the IBM Federal Systems operation, who did the software for Apollo and the Shuttle.
Something still deeply lacking in most development shops.
Something still deeply lacking in most development shops.
"the Primary Avionics System Software cost NASA slightly over $1,000 per line"
and this was $1000/line of almost assembler - not per line of Rails
(https://history.nasa.gov/sts1/pages/computer.html)
Well, licenses to operate an airline can be revoked, following which the company ceases being able to make money while still having bills to pay (like wages, office spaces, plane parking fees and such). Companies that find themselves in such a position tend to want to cease being in that position one way or another before money runs out.
Private pilots that do not follow standard procedures will probably find their license being suspended or revoked, or will find themselves as a fatality statistic after which not following standard procedures will cease to be an issue.
Against IT companies that reject standard procedures there is no such recourse.
"known holes to exist in their infrastructure and acts like Experian, Uber or Talk Talk then they deserve to be shamed and there are no lessons to learn"
What a strange thing to say.
In Experian's case there are lessons around verifying your contractors.
In Uber's the lessons are around access rules and audit thereof.
Plenty of lessons to be learnt from Talk Talk, like "how do we identify, patch, test and deploy thousands of apps" and the need for intrusion detection.
I'm not aware of any standard procedures that would have prevented any of these breaches. Maybe Talk Talk. Loads of people with 20-20 hindsight, but very few positive contributions.
That would surely require a body with powers to investigate and demand evidence like an Air Acident Board. Then someone would also need the power to impose remedial measure likes CAA, FAA etc.
However this is a bad analogy, not only is aerosapce part of engineering, it's misison critical engineering. The mentality is make it safe, and secure above all else. In no way can the software industry be compared to engineering. Software is the only discipline I can think of where it's accepted that nearly all products go out the door with issues. Until the cost and consequenses of fixing software issues match those with physical products, the mentality will always be "get it working, fix it later"
In the UK that'd be the ICO wouldn't it...?
Within the guise of GDPR the EU will be calling them Supervisory Authorities.
They're empowered to request evidence, audit data and if dissatisfied impose fines:
Tier 1 - 20 Million Euro or 4% of global turnover
Tier 2 : 10 Million Euro fine or 2% of global turnover.
The upcoming GDPR and eprivacy laws should shake things up sufficiently to allow the ambulance chasers to ratchet up the pressure and turn this into an HSE circus...
I'm not sure the powers available to the ICO come close to those available to the AAIB. Obviously these powers are very different, but the principal seems to be, they get access to whatever they need without requesting permission. If The ICO had similar powers, and dedicated invistigators of similar quality, then we may see some changes.
"AAIB Inspectors have powers to investigate all civil aviation accidents and incidents within the UK. They are appointed under section 8(1) of the Regulations and have the powers under section 9 to have free access to the accident site; the aircraft, its contents or its wreckage; witnesses; the contents of flight recorders; the results of examination of bodies; the results of examinations or tests made on samples from persons involved in the aircraft's operation and relevant information or records. They also have the power to control the removal of debris or components; examine all persons as they think fit; take statements; enter any place, building or aircraft; remove and test components as necessary and take measures for the preservation of evidence."
After reading that, I have to agree with you - as a single body with consolidated powers, the AAIB will be better equipped to manage incidents as they see fit.
I'll elaborate where I was coming from.
The whole point behind the current legislation/fines is focused on proportional administrative fines sufficiently large enough to hurt - failing that a judicial remedy (if the affected subject is not satisfied).
Referenced respectively in the following items:
Judicial remedies: https://gdpr-info.eu/art-79-gdpr
Fines: https://gdpr-info.eu/art-83-gdpr
If they get dragged through the courts, you'd think that this extension might give them a few more powers.
Took the words clean out of my mouth. The whole thing.
For InfoSec, there is no central authority at a federal /nation level that oversees how businesses are connected to the internet- it's all a massive pile of little duchies, and none of them talk to each other (or refuse to talk to each other fearing business secrets might be spilled, or advantages might be taken, or any number of other paranoia related thing) The only thing that exists are 'best practices', which are not requirements and half the time are usually ignored by the business in the interests of making money.
I'm not saying that a central authority is a bad idea, but be careful what you wish for. The big players could, I suspect, very easily find a way to put the smaller Linux distros and the BSDs outside of the that potential authority's "safe use regulations". This could have the knock on effect of making them unusable for shopping/banking on the Internet, maybe even blocked by SPs from getting on the 'net depending on what's required of the SPs, for our safety. Nothing seems to be off the table as we careen further down the political extremist path.
Even if the dictionary definition makes it appear that way. Infosec = Information Security, and malicious acts are only a part of that. I'd even go as far as to say only 50% of that.
Never put down data loss as hostile action when there's so much scope for non-hostile FAIL.
And I'm commenting on this because reading the "Lessons learned" investigation into a major UK based, non-hostile, data loss incident that happened a little over a year ago made it look like an utter car crash of a gloss-over job for one like myself who is more used to reading incident investigation reports from the transport industry. They actually do a much better job of it than the IT sector, and lessons can definitely be learned there!
"incident investigation reports from the transport industry. They actually do a much better job...."
Air and rail, yes. I'm less convinced by maritime ones.
Let's not even go there with road safety. Although the police do a damn fine job looking at the immediate cause, that is more for blame attribution rather than learning lessons.
I dont think the briefer has any feel for the cost and time involved in an air accident investigation. Would anyone be content with 18 months to 2 years btw an infosec problem and a report? Sure, emergency airworthiness directivea and whatnot can be issued mid-cycle but these are done sparingly for both economic and engineering reasons (make damn sure you dont introduce new failure modes... take some time to test) AAI is not cheap, either.
Software and IT systems (hes talking infosec, so people are within the system boundary here) are far more complex than aero machines, so you have a much higher failure rate. But you also have a much faster timeline to make a system whole after failure.
Its apples and oranges. And oranges dont grow in my climate.
The point is that aviation wants to know how to systematically eliminate the problem that caused the crash and prevent a reoccurrence. And done by being open and honest with the facts and conclusions. You don't get that impression with IT which seems to be worried about glossing over or handwaving away incidents should they reach the light of day.
ITs fast timeline is possibly the cause of their code-release-oops!-fix-release-oops!-fix... cycle. IT seems to be quite quick at deciphering what wrong as well. (By comparison the long times for the aviation investigators are because they are trying to figure things out by examination of little bits of barely recognizable metal spread across a field.)
@AC, excellent points. I don't see the IT world as open an honest. CYA seems to be the primary SOP, and it seems that no amount of public humiliation is pulling bug chunks of the industry out of the gutter. Where are the shareholders in all this?
My day job is hardware engineering for aerospace widgets. I love this because I can pursue quality relentlessly. But I cannot imagine most industry could survive with our cost structure. We produce some hardware, vast amounts of test reports and documentation, and as little software as humanly possible. Very little innovation for sake of new stuff. Nothing is very "sexy" or "advanced" - not much for thr marketing weenies to get all excited about. But we don't fail. Ever.
Near retirement now. I'm concerned with what I see coming up through the ranks - especially the management ranks. The new IT / IA / HW kids are good but the people who aren't packing what it takes to succeed in the hard science side suck. And these are your future leaders. Chasing buzzwords and "shiny" for shiny's sake. Constantly chasing buzzwords they read rather than doing any analysis to understand what is really needed. Rather than aerospace grade discipline spreading to the world of IT what I see is the crap-of-the-week club taking over aerospace.
"Constantly chasing buzzwords they read rather than doing any analysis to understand what is really needed. Rather than aerospace grade discipline spreading to the world of IT what I see is the crap-of-the-week club taking over aerospace."
You do at least have the possibility of the existing regulators forcing that discipline onto the buzzword chasers.
Then entire reason the company may have success is how they were doing the numbers of cost/success/failure and trying to be above the competition (again in a less tragic example than aircraft accidents).
While not yet proven as a business, they have proven themselves in the engineering side and succeeded in doing things first and best in many areas. So to follow suit in IT must be a win, no?
Less downtime = less cost in the long run. Quicker turn arounds = more profit. etc. But I guess this needs a long commitment, and sadly I see (as a consumer) most companies outsource/slash and burn their resources (IT, call centres, engineering/service staff) and forget about consequences. :(
Less downtime = less cost in the long run
However, if the profit is not there in the end of quarter report, the share price will crash, and that is the end of the corporation. Blame the lack of heavy trading costs for short termism. If you want a decent quality of life and don't want a world of Ponzi, what you need is hefty stamp duties.
Bleed the speculator community to death. It is a sacrifice worth making (and probably even kosher).
I'm not sure that's a great analogy.
If typical software contained bugs which were so serious that they caused the server hardware to be destroyed after each request (roughly the non-reusable rocket equivalent) then yes, there would be huge economic gains to be had from working on reliability, but that's not the situation.
That doesn't mean that we shouldn't look to improve reliability, just that unfortunately we have to accept that there is a trade off, it won't pay for itself.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
