Security 3.0, What the?
Security 3.0, What the?
August 14th, 2007: Security 3.0. What is it? Will it be useful? How do we get there? News from the Gartner IT summit in Sydney helps find the answers.
Whilst security 3.0 makes it sound like we’ve hit this new era of threats and security issues, the reality is security is still stalled in the same place it started in. The bad guys send in the malware and then the security specialists respond to the threat in a “never ending game of whack-a-mole” said Rich Mogull, research vice president at Gartner. Security 3.0 is about preventing the threats before they land, not reacting to them, after all “nobody really wins whack-a-mole” Mogull said.
Considering most organisations have only just started coming to terms with the idea of security 2.0 you could be forgiven for being skeptical. In its simplest form it’s just a trendy label attached to the future or next evolution of security. Considering the importance of security to just about every organisation on the planet, the real focus should not be on what to slap a point 0 on, but rather what exactly does the future of web security hold and what should be looked out for.
When referring to security, the popular catch phrase has always been security is a journey, not a destination. In reality security may be a journey, but it needs to have destinations along the way Mogull explained. Organisations require those destinations to evaluate how successful the security strategy is and whether they should continue down that path.
The fact that we have reached the stage where such a term as Security 3.0 even exists highlights how out of control the conflict between malware propagators and security firms has come. According to Mogull, this has lead to an incredible arms race develop between the two sides. Security specialists strike by becoming faster at responding to threats, malware propagators then adapt by releasing multiple attacks at once and refine their targeting to zero in on a particular program. These types of whack-a-mole approaches are causing escalations in conflicts and are not preventing the problem.
When you think of internet security, it’s common to envisage nasty hackers and spammers as the biggest threat; they are after all the bad guys in the game. The reality is quite different, the threats faced by the bad guys stirring up trouble are no where near as severe as the threats from inside the company itself. “Your own web browser is the biggest threat to your organisation” Mogull said, going on to point out that “the risk is staggering”.
Indeed, one of the dynamic threat areas comes from employee’s logging into the remote network from unsecured home or internet café locations where users are much more vulnerable. This is in addition to the threats from web based applications and even locally hosted ones “the only reason we need firewalls is because the rest of our software stinks” Mogull said.
To some people, security 3.0 may be something that is only applicable to software vendors, yet how many people can say that they don’t offer any third party services whatsoever through their website. It could be simple advertising, information or any kind of web based interaction, in effect “We are all software vendors and we all need to adopt secure practices” Mogull said.
According to Mogull the problem with current security practice also exists on an educational level. Computer science degree’s do not require any security based classes for completion of the degree, security subjects are entirely elective based and can be skipped altogether.
Security 3.0 may be a term that people are reluctant to adopt, however the reality of it is the malware war is locked into endless escalation. The only hope in sight is to adapt and drive change towards a new outlook and new methods to prevent security issues from occurring, not waiting for the next mole to appear so you can whack it with everything you’ve got.