1 / 16

Information Security has Failed What Next?

Information Security has Failed What Next?. Professor Richard Walton CB Royal Holloway 6 September 2014. Infosec has failed. Infosec defined in mid-1980s Generalisation of Comsec Crypto Technology of 1970's solved the major technical Comsec challenge

lhandler
Download Presentation

Information Security has Failed What Next?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Information Security has FailedWhat Next? Professor Richard Walton CB Royal Holloway 6 September 2014

  2. Infosec has failed Infosec defined in mid-1980s Generalisation of Comsec Crypto Technology of 1970's solved the major technical Comsec challenge Infosec should have followed with technical solutions to: Availability Confidentiality Integrity

  3. Infosec has failed Today Technical Cyber attacks abound Software quality is abysmal Criminals download commoditised malware Mobile devices exacerbate the problems Security is permanently reactive We can't PREVENT successful attacks

  4. Information Security Today and Tomorrow Today Business Dependency Criminal Threat Some Control of assets Poor 'professional' software Tomorrow Personal Dependency Increased Threat Ubiquitous uncontrolled assets Amateur software

  5. Response - More of the Same(only better this time) • Awareness - must keep banging on • Law • must improve • must enforce • Better Authentication • Better Risk Management

  6. Software Quality Bespoke still required at the High end - But will be resisted Must accept that most Apps will be written by incompetent progammers Vital to harden the building blocks

  7. Software Quality Software Libraries require a total rewrite Documentation must be improved and simplified to cater for the dummed down programming Education of the elite must be upgunned Education of the masses also needs attention Strengthen acceptance criteria for Apps

  8. Change the Goals Prevention Detection Diagnosis Cure Damage Limitation Recovery

  9. Detection - Transparency Better Documentation from Developers enforced by regulation/strict liability Transparency of actions - what and why More user control Revelation of hidden processes Integrity checks available to users

  10. Call to Arms Government Developers Academia Professional Institutions

  11. Government The Law - strengthen enforcement Spearhead Public Awareness Seed-corn funding Strengthen consumer power

  12. Developers Improve documentation and other aids to transparency Strengthen acceptance critieria for public Apps Provide for more user control Meaningful monitoring and diagnostics to detect problems

  13. Academia and Researchers Education of programmers Hardening Software Assurance mechanisms to support the non-expert user

  14. Professional Institutions Advice on technical risks - lobbying Government Engineering standards Mitigating the amateur threat Provide a counter to vested interests from industry

  15. Conclusions 1 Infosec has failed to prevent or cure the ill-effects of the security challenges of the past 30 years The environment is getting more challenging The priority needs to shift to detection, recovery and damage limitation The challenge from ubiquitous threat must be met by ubiquitous defence aimed at the non-expert consumer

  16. Conclusions 2 Actions are needed to arm the consumer This requires Government to act to counter the vested interests In some areas Software Quality must improve; elsewhere an environment must be created to limit the damage from low-quality Apps. The playing field must be tillted to protect the general non-expert user.

More Related