Cyber-security's dirty little secret: It's not as bad as you think
According to 'research' using 'relatively poor data'
A bug's life
An interesting one is zero-day vulnerabilities which Jardine compared against the growth of a number of different factors including number of websites, number of email users and number of internet users.
In absolute terms, the number of zero-days holes in client and server software has risen almost every year, and it has also risen, albeit far less sharply if you consider the growth in the number of internet users, but it has declined slowly if you consider the number of websites.
That's an apples and oranges comparison: what has the number of software vulnerabilities got to do with the number of websites?
Well, Jardine argued, as you add websites to the internet, you introduce more software powering those websites to the world – from web apps to underlying technology, such as OpenSSL to perform HTTPS connections. And more code means more bugs, and that means potentially more security vulnerabilities. The report states:
The best measure to normalise zero-day vulnerabilities around would be the number of software programs used in the world, the data for which does not exist.
Nevertheless, since zero-day vulnerabilities are weaknesses in computer code, the normalisation that makes the most sense is the number of zero-days per 1,000,000 websites, since websites rely on a growing number of software platforms (think of the Heartbleed zero-day exploit in Secure Sockets Layer [SSL] in 2014).
In the interest of presenting the broadest possible story, the number of zero-day vulnerabilities normalised around the number of Internet users and email users are also included (both proxies for the number of potentially vulnerable devices operating various pieces of software).
Well, er, um, if you say so. And Heartbleed affected OpenSSL, not all of SSL.
Conclusions and what to do
Despite his best efforts, Jardine does admit that he was forced to use "relatively poor data". How come? "An irony of cyber security research is what we live in an age of big data, but very little of this data on cyber security trends is actually publicly available."
In other words, there's not a lot of concrete information, companies keep schtum about what happens on their networks, so the number of actual security breaches is almost certainly far higher.
As for what to do, the report lists a number of policy suggestions, including:
- Focus on the individual: people are still the weak point in systems.
- Use open-source software: Microsoft is not going to like that one.
- Force law enforcement and national security agencies to disclose zero-day exploits faster: Ha! Ha! Ha! Ha! Ha! Good one. That's going to happen.
- Draw up new international agreements on spam, phishing etc: this have been in the works for god knows how long.
- More training: Of employees.
- Get Norton, Symantec, Kaspersky et al to report in terms of normalised figures rather than absolute or year-on-year: What?! And stop scaring people into buying our products? Are you crazy?!
For more, read the full report here [PDF]. ®