#RSAC By Jeremiah Grossman, CTO, WhiteHat Security
To list out the number of website breaches, DDoS attacks and privacy faults that have been unearthed over the last year would take as many words as this blog post on its own. The shocking number of high-profile data losses shows just how much the security landscape has shifted in the last two years, and, yet, many are struggling to find the right answers to the age-old problem of “How do we protect what we value?”
The problem lays partially in how humans approach their own safety. We place trust in things that presumably protect us – we’ll call these things the protectors – but when those protectors are shown to be insufficient, our nature is to not believe that our safety could be so compromised and block those issues from our minds.
This is particularly true for the Internet security industry, where 15 years of technology-past have formed deep roots in peoples’ visualization of the Web but not informed them of today’s threats.
Good examples are the recent hackings of Certificate Authorities including Comodo, DigitNotar, KPN, VeriSign and others, which saw some of the Web’s most trusted gatekeepers lose their exclusive control to create authentic SSL certificates. Despite the fact that these are some of the most well-known Internet security companies today, many people continue to soldier on, overlooking the flaws that caused the data breach as we want to hold onto that which seemingly makes us more secure because it is familiar.
The slightly naïve nature that we continue to approach the Internet and its many landmines has lead me to the conclusion that we need to thoroughly adjust how we as people approach security. As they say, education is the greatest democratizer and empowerment tool one can receive; it would seem that one of the best strategies the security industry needs to implement are programs providing better understanding and awareness amongst the public of what today’s security really is.
By educating the public more on what these numerous breaches stem from and the forms attacks can take, they will be more inclined to question how we can make the Internet work safer and better rather than just accept that they will always be losing data for as long as the Web exists.
For too long security has been packaged in acronyms, portmanteaus and code that have been given to the public with little explanation and insight other than to say “We’ve got you covered.” In breaking down those linguistic barriers and truly informing the public of what security processes and actions are, not only will people gain a better understanding of what the security landscape is, but they’ll be able to ask more of the right questions of the businesses they choose to associate themselves with and demand that right actions are taken so that their personal data is less at-risk.
This concept will also invite a much more transparent and accountable dialogue between businesses and the public. Surely this would be an incredibly tough transition for businesses to make, but, in the end, this is the best type of relationship for building trust than any other, particularly in a world of seemingly endless data breaches. And after all, we have a vested interest in keeping the Internet alive, so why not work to make it better while we’re at it?
Latest F5 Information