One of the most trenchant observations in infosec comes from one of Richard Thieme's old Blackhat keynotes. He quoted Robin Roberts saying in effect that security systems are built up on assumptions, but you cannot after the fact go back and query the system about the assumptions that were made when it was built.
That's pretty problematic, because the world has a pesky habit of changing which renders formerly good assumptions invalid. A classic example from the last decade is back office systems that were connected to the web. The back end system had its own security model that presumed it lived inside a controlled corporate network, then one sunny day someone decided to hook it up to a web front end. Voila, the formerly isolated back end now has to deal with threats not factored into its original plan.
Security is in large part determined by attacker interest in a target. The general trend is that as more valuable assets become digitized and networked, then more of these assumptions about isolation or "who would hack that" are diverging from the real world. Hacks like Target are in the news today,you'd think that people would assume a netwroked payment system would be targeted. But I can recall many conversations with people who assumed their own payment network was "isolated." Similar assumptions underly the shoddy security in SCADA.
Unfortunately, we're replaying the same movie right now with Internet of Things, where many systems have security as an afterthought.
Mobile is a similar situation, someone knowledgeable chided me the other day "where are all the Android attacks?" Its true that even though mobile defenses are pretty weak in general, we do not see much yet, but first the mobile ecosystem needs valuable targets for attackers to go after. Businesses are moving aggressively to mobile, meaning they are creating more value for attackers to go after on mobile platforms. So the fact the mobile platforms have weak defenses doesn't get exposed until there is an interesting enough set of targets there. The driver is not technology, its the value chain: on the business side and on the attacker side.
The end conclusion that I see, is that successful systems will be attacked. If you are building a system today, you should assume its going to be successful, otherwise why build it? Don't wait and see if its successfull and try to jam in a security model later, retrofitting security is expensive and risky. If its going to be successful, it will eventually attract attacker attention, and so bulding security in is a must.
Comments