Security industry runs aground

The IT security industry is unable to cope with cybercrime and needs to come up with a better way of protecting customers.

Eugene Spafford, a computer security expert and professor of computer science at Purdue University, said that the security industry is just adding layers of defensive technologies to protect systems.

However it can’t deal with the most substantial, underlying problems that sustain a sprawling cybercrime syndicate.

Talking at the FIRST security conference in Boston, Spafford said that software makers continue to churn out products riddled with vulnerabilities, creating an incessant patching cycle for IT administrators that siphons resources from more critical areas.

He said that the problem was so bad that today businesses are rushing to invest in many of the latest security technologies designed to detect infections without any ability to efficiently fix them.

Instead of building secure systems, they are getting further and further away from solid construction by putting layer upon layer on top of these systems.

Spafford said things had moved to vendors pushing things out rather than get things right the first time.

Poorly coded software combined with growing network complexity has increased the attack surface at many organisations and it is taking its toll financially, said Spafford.

Spafford who is famous for analysing the Morris worm, one of the earliest threats to the internet, said that there are 220 million known malware families or instances of known malware and it is increasing by 52 million a month.

Threat detection hasn’t improved much and malware remains on systems for months and often isn’t uncovered until after criminals pilfer systems containing intellectual property and other sensitive data.

Security vendors produce inadequate security platforms designed to protect software riddled with holes, Spafford said.

Coppers were inadequately equipped and stymied by criminal gangs in countries where bribery earns them protection from the government, Spafford said.

He called for an investment in computer programming education and a move by software manufacturers to embed software security concepts early into the development process.