Too much focus on vulnerabilities and their impact is leading information security into a slow death.
Speaking in the keynote address at 44CON in London, security researcher Don A. Bailey said that while “we’re getting good at reducing problems and addressing problems, information security is dying a death it has earned.”
Focusing on bugs and vulnerabilities, Bailey said that his initial perception of information security was about reducing risk for consumers, but that perception was “so off base as all we do is talk about bugs but we are blind to what they mean and are composed of.
“We see new technology coming out, the punditry reel starts spinning with a cool new 'whatever' and we ignore technology and where it comes from and how it is sold and what manufacturing looks like, and we ignore the engineers that put effort into building the technology.”
Calling the concept “bug fetishizing’, Bailey pointed at the Blueborne vulnerability, which has received fresh attention this week after Microsoft issued a patch for it. Bailey argued that while the bug is massive, it has been around for a while and it is super easy to remediate it.
“People use it to raise money and we see it in the community all the time and not only by start-ups, but to raise money creating an environment in how cool a vulnerability is,” he said.
“I get a bit tired of hearing about these issues over and over as there is nothing new about Bluetooth vulnerabilities, it is the same old crap as we found a couple of years ago. This is nothing new and not pushing things forward.”
Bailey highlighted what he called the “romantic nature of bugs” and their “reproduction”, saying that we “see vulnerabilities in the wild and they are reproduced a million times” which is not reducing vulnerabilities in any way.
He also said that we are taking extremely small issues and blowing them up, and also focus more on intricate vulnerabilities than the defenses against them.
“Finding bugs that are useful is a great thing, but doing something with it is another thing; we want real models in information security and IoT that we can resolve.”
Bailey concluded by saying that information security is in a worse state than 10 years ago, and 10 years ago there were probably 10 consultancies and now, only a few organizations are doing groundbreaking research.
“Companies say specialize in information security but outsource for skills and don’t feel like paying someone for expertise when they can hire, with reputable universities pumping out graduates with information security degrees. It is true we need more people but who needs them: consultancies who break ground, or companies who need more people – a fraction of a % are doing groundbreaking research and that is why information security is dying.”