All the latest UK technology news, reviews and analysis
|
|
|
15 Feb 2006
Computer security is getting worse as penny pinching firms put economics before the development of secure technology, according to Bruce Schneier, a renowned security specialist and the founder of Counterpane Internet Security.
"I think in general things are getting worse, not better," Schneier told delegates during a session at the RSA Conference in San José.
"There are lots of little victories. Spam is one of our industry's shining victories, but there are lots of areas where we aren't doing very well."
Software vendors lack any incentive to pay attention to security when they create their products, according to Schneier, and buyers are generally unable to determine the level of insecurity when they evaluate products.
This leads them to buy the cheapest product available on the market, which in turn forces developers that do emphasise security to lower their security levels in order to compete.
The security sector is using technology to solve the poor state of computer security. But technology is becoming less relevant now that networks have become an attractive target for criminals who have a strong incentive to exploit security vulnerability for financial gain, Schneier warned.
Security providers can create anti-spyware and security filtering software, but these applications are useless if consumers do not install them, he added.
"The fundamental driver in computer security, in all of the computer
industry, is economics. That requires a lot of re-education for us security
geeks," said Schneier.
The solution is to create economic incentives to improve computer security. "
Make the entity in the best position to mitigate the risk responsible for the
risk," he argued.
There are several ways to shift that responsibility, according to Schneier, but legislation and regulation are usually needed.
Requiring credit card providers to pay for fraud, for instance, has caused them to implement numerous security technologies and policies for merchants.
In the UK, meanwhile, Schneier pointed out that banks have done very little to tackle ATM fraud, because legislation makes consumers, not the institutions, responsible for fraud.
Latest stories from Security
Related articles
Related jobs
Poll
Are you confident that the UK's IT infrastructure is secure from attack in the wake of the Flame malware revelations?
TFL director of Games transport Mark Evers discusses how the public transport network is preparing for this summer's event
Connect with V3.co.uk
The wrong printers, for the wrong tasks on the wrong contracts
Who leads the BI pack and who should we be watching out for?
Security Assurance Consultant ( CLAS ) with HMG and Information...
Solutions Design Architect - Oracle - Exadata - Dataguard...
My Client is a tier one investment bank based in Edinbugh...
Analyst Programmer Web Developer required to work for...
Keep up to date with the latest products, services and technologies from the world's leading IT companies. IThound.com brings you over 2,000 white papers, case studies and analyst reports.
Do you agree?
A long way to go
In fact, from Day 0 of the system development project, security and compliance requirement are mandatory to attach. However, it may be applicable in those in-house system development project. For commercial software, there are no rules or simply regulations for such kind of practice. Adopting security control practice is a kind of bonus. I agree with your point is that putting the liability and accountability back to the "System/Software Owner" (i.e. software vendor/manufacturer) instead of the buyer. Frankly speaking, the system/software ownership concept is commonly weak within or outside the enterprise.
Posted by: Anthony Lai 22 Feb 2006