When Hackers Don't Strike
Today the New York Times asks us: “Who Needs Hackers?” The article itself which discusses the recent outages at LAX and with Skype is fairly fluffy but has some great quotes which really cover the issues that we should be looking at as an industry. Security isn’t just about hackers, but about managing threats and risks and we need to remember that much more often.
Peter “Comp.Risks” Neumann:
We don’t need hackers to break the systems because they’re falling apart by themselves.
Most of the problems we have day to day have nothing to do with malice. Things break. Complex systems break in complex ways.
and Avi Rubin:
Maybe we have focused too much on hackers and not on the possibility of something going wrong. Sometimes the worst problems happen by accident.
As a professional system administrator that is constantly thinking about security I’ve had my boss ask me something along these lines straight out – “How many outages and emergencies were caused by a security problem this past year? And by bugs, network failures, broken disks, bad configurations, etc?”. And of course, he had a very good point. More and more I feel like there’s too much focus on the “sexy, new, bang for you buck” security problems (how to exploit brainfuck programs running on Zytel PX82 processors) and too little on fundamental problems. I also suspect that many security professional have no idea on the amount of effort it takes to run a big network, ensuring backups, uptime, performance, quick deployment, etc.
Security is a classical FUD market. Good managers are right to downgrade it’s importance, in the face of all the other things they need to manage.
How many murders are there compared to accidental deaths? How many people play real bumper cars with their vehicles as opposed to outright accidents? How many lost objects are there to actual intentional thefts?
I like the the NY Times has brought this topic up, but it certainly is not novel. We just caught up quite a lot in conspiracy theories of high-powered financially-motivated hackers bringing down our little wiki…only to find out someone rebooted that system on accident and didn’t start the service back up properly or something. Complex systems can fail complexly, but everything can fail simply.
(I am, however, still convinced the Skype incident was truly a security incident and not a freak spike in systems rebooting which brought down the whole system…)