Tuesday, August 15, 2017

"Security doesn't matter" & ethereum hacks

In the early 2000s, there was a famous article titled "IT doesn't matter". At the time, this was preposterous. It caused lots of controversy and I remember having several discussions until I realised people had not read the actual article.

The thesis of it was very simple: it doesn't matter because IT had become a basic function such as HR. IT was not a competitive advantage anymore. IT was a "vanishing advantage".

Security doesn't matter.
Just like IT, Security & Privacy is never an end in itself, but means to arrive to a goal. The goal is the mission of the organisation, put simply. It is, and always have been, for the vast majority of companies, more of a license to operate:

  • because its customers so require
  • because there are regulations to comply with
  • because it keeps the business running
Few business see Security as a need such as Capital. Banks is such a sector. They typically do not care about ISO 27001 certifications because the business-case of Security is intrinsic.

Security does not matter because it is becoming less and less of a competitive advantage. It is a necessary need (so to say) to do business and hence is becoming essential such as HR or Sales. More interesting, is that Security is stepping in to the customer front. To give an example, half of my time is not doing security as such but speaking to customers that want to be reassured we have good practices. Nowadays, for many, simply having a ISO 27001 certification is not enough. One has to show evidence of practices.

So the Ethereum hacks.
Considering this, it is just surprising that an Ethereum ICO could be hacked like this. Was there not USD 2k to get some advice and implement, for example, stop gap measures?

As Bruce Schneier says, the problem is not the smart contracts technology but rather the ecosystem around it.

Then another one, now with a small difference: they are an established wallet (browser integration) company and, my guess, almost everyone is a software developer. This typically sets an environment of sloppy security since Security is typically seen as a technical challenge such as password entropy. Security is much much more. Browse their website -- do we see anything about Security?

Yes, we do, after the 19 July. Is there a security statement explaining what lessons they learned. No. Hat do they do? They setup a bug bounty. Because Security is all about buffer overflows, 512-AES and WAFs, innit?

One of these days I will sit down in front of a pint and write "The Manual Securitist" -- how to fully protect and certify an organisation using only manual/human controls. I hope I never have to do this, but I am fully convinced all, say, CIS-20 or PCI/DSS  controls can be implemented, to a large extent, with technology of the 1960s.


No comments:

Post a Comment