Don’t expect easy answers from security expert Bruce Schneier about improving Internet security and protecting your identity. The widely read and quoted author and CTO of Counterpane Internet Security, is known for his straight-talk.
But if you can handle a dose of reality medicine, read on. Schneier recently took questions from internetnews.com about the ongoing security problem.
Q: Let’s start with your essay “Why
Two-Factor Authentication is Too Little, Too Late.” You say the method is no match for today’s active network attacks, such as man-in-the-middle attacks and Trojan attacks. But surely it’s better than static passwords?
For some applications — employees accessing corporate resources, for example — two-factor authentication is a huge improvement over static passwords. But they’re not going to prevent fraud or identity theft if banks distribute them to their customers and mandate use for Internet banking. The problem is that the current criminal attack techniques will work regardless of whether tokens or biometrics are used or not.
Q: So let’s talk about solutions to these threats. What can be done to protect the user in these scenarios?
It’s subtle, but I think we need to stop focusing on authenticating the individual and concentrate on authenticating the transaction. Look at credit cards. User authentication is minimal. I can buy things with a credit card over the phone. Merchants barely look at my signature when I present my card in person. Fraud prevention and detection is all about the transaction.
Q: Do you bank online? If so, do you find this secure?
I do not bank online.
Q: Readers will want to know why. Do you recommend that people don’t bank online because of the security issues you just outlined?
I don’t bank online because the value isn’t worth the risk. There’s not a lot of banking I need to do online, so I’m not giving up much. And to be able to say to my bank: “I’ve never logged on to your Web site” seems like a good idea if someone starts moving money around in my name and the bank blames me. The details are in my essay.
Q: Can you expand on the concept of Managed Security Services?
The problem with security products, whether they are firewalls, IDSs, or anything, is that they’re complicated. They’re hard to install. They’re hard to manage. And in order to be effective, they need to be monitored 24×7.And without the expertise to do all of that, the products aren’t going to provide much security. The fundamental idea behind Managed Security Services, particularly Counterpane’s offerings, is to make security products work.
Organizations simply don’t have the expertise on staff to do it themselves, and couldn’t do it themselves cost-effectively even if they wanted to. There are a lot of great security products out there, but they’re not providing much security. Managed Security Services is the only reasonably priced way to change that.
Q: During your appearance at the recent RSA Security conference, you said software vendors don’t feel the pain of their customers and that the disconnect needs to be addressed. How?
The problem is what economists call an “externality”: a cost that’s external to the economic decision. Right now, software insecurity costs our economy billions of dollars, but software vendors don’t pay that cost. So, decisions about how much effort to put into security — decisions that the software vendors make — don’t have those costs factored in.
The way to fix an externality is to make it internal: to make the software vendor feel the costs. This can be done through liability or regulation, and the relative mix you prefer will depend on your politics.
Software vendors are not charities, and can’t be expected to improve security out of the goodness of their hearts. I am a strong believer in the power of market forces. Once we deal with the externality, software vendors will figure out how to make their products more secure. I have written about this here.
Q: Is it too late to improve our security? By that I mean, once your information is “out there” and digitized, there’s the write-once repeat-many factor spreading it, and not much you can do.
It’s never too late to improve security. Of course some information is already stolen, and you can’t undo that. But you can make it less likely that stolen information can be used for fraud; more likely that those who have stolen the information are caught; less likely that stolen information is passed around; and more likely that new information is not stolen in the first place.
Q: What would your advice be to corporations that deal in customer information? Lawmakers? Consumers?
We live in a Wild West when it comes to personal information. There is no serious regulation. I wish I could advise corporations to protect personal information in their care, but I don’t expect companies to act as charities. My advice to lawmakers is much, much more complicated. For one, we need a data protection law like Europe. (Lawmakers won’t do this, though; they get too much money from corporate interests opposed to this law.)
And people need to understand that neither the law nor the corporations are on their side, and they’re on their own.