In our industry, we are used to most things steadily improving. Languages, CPUs, frameworks, etc. are all getting better all the time. But when it comes to Internet Security, the picture isn’t so clear.
I am conducting a poll on Twitter asking “Is Internet security getting better or worse?”
79% of the responses so far are saying Internet security is getting worse rather than better. Is this true, or is it just our perception?
Update: BBC Panaroma have released an episode called How hackers steal your id – this agrees with the poll results that hacking is getting easier and security is getting worse.
Reasons to believe Internet Security is getting better
- Modern browsers offer much better protection than older ones. They warn users about TLS certificate problems, weak cryptography, phishing sites, and modify many reflected cross site scripting (XSS) attacks and cross site request forgery (CSRF) attacks before they harm users. As users upgrade to the latest browsers, they benefit from all of these protections.
- The Open Web Application Security Project has and is increasing awareness of security vulnerabilities and how they can be mitigated
- There are a variety of Internet Security products with basic versions available for free. So even the most thrifty users have no good excuse not have some security software running on their PCs and devices
- Spam filters have improved in recent years, resulting in most spam going straight to the junk pile where it belongs
- Modern Web application frameworks offer much better defenses against XSS and CSRF attacks. As developers move to their legacy applications to these newer frameworks, addressing these security vulnerabilities becomes much easier
- Education on basic Internet safety, such as using strong passwords and not reusing the same password is now very common, and awareness is (in my opinion) increasing
- Sites such as plain text offenders and XSSposed help to promote better security
- Security companies have a financial incentive to keep people afraid of security risks, so they might be exaggerating some claims. The range of estimates is large, so we can’t rely on any estimate too much
Reasons to believe Internet Security is getting worse
- The amount of data stored online is growing exponentially. This means the amount of information that can potentially be stolen is also growing exponentially
- Hacking tools are getting increasingly sophisticated, meaning even script kiddies are more and more dangerous
- The Internet of Things is in its infancy, and already there have been many serious breaches. As just one example, there is now a channel for watching sleeping babies on Shodan.
- We are heavily reliant on software that developers use without taking the time to understand. For example, heartbleed was perhaps the worst bug of all time, but developers continue to add software to their development stacks on a blind assumption that it is bug free.
- This year, the Hague Centre for Strategic Studies reviewed 70 different reports on cyber security and found “One thing almost all reports agree on: cyber attacks are on the rise.” It concludes this is partly due to an increase in cyber activity and reporting itself, with estimates of the growth in the number of cyber attacks ranging from a few percent to a tenfold increase.
- Rapidly increasing use of Bitcoin as a currency has created new avenues for stealing large amounts of money online
- It’s hard to know what to say politely about this recent shocking story, which concludes with “in today’s day and age, security on the web simply isn’t taken seriously enough.” (Forbes story here).
- I recently interviewed 7 candidates, with between 4 and 20 years experience, for a web application programming job. I included two or three security 101 type of questions as part of the interview. While most had some understanding of SQL injection, the majority could not explain how to prevent cross site scripting attacks. If these candidates are representative of web application programmers in general then this implies that the vast majority of web application programmers do not have a good understanding of the top 10 risks, much less the full range of security risks
- In 2014 McAfee reported that a conservative estimate of annual cost to the global economy from cybercrime would be $375 billion in losses, while the maximum could be as much as $575 billion.
- The recent breach by Talk Talk has revealed that SQL injection risks are still a problem even for large companies with millions of users
- This year’s Cost of Data Breach Study by Ponemon Institute found the average consolidated total cost of a data breach is up by 23% since 2013 and the cost incurred for each lost or stolen record containing sensitive and confidential information increased six percent from a consolidated average of $145 to $154. It also found the average cost of cybercrime for US retail stores more than doubled from 2013 to an annual average of US $8.6 million per company in 2014
- Also this year PricewaterhouseCoopers reported in its Global State of Information Security Survey® 2015 that that detected information security incidents have risen 66 percent year over year since 2009. That is there were around 3 million incidents reported in 2009 and more than 40 million reported in 2014. If this trend is continuing, then there will be 110 million incidents in 2016
- Norsecorp’s attack map shows that the rate of attacks around the world is very high and not slowing down