When confronted with computer crime, it is hard to shake the impression that information security is failing. It can seem that these failures are everywhere, filling our electronic world with spam, computer viruses, and identity theft. Even worse, these problems seem to increase even as we spend more time and money on security. We might expect that a rise in electronic crime is a natural result of the worldâ€™s becoming increasingly electronic. As money and influence move online, so do crime and vandalism. But as crime and vandalism move online, so must security. Ideally, security shows up first and allows us to preempt problems, but that seems to be a rare occurrence. It is often easier to experiment with and build software without security features, so they tend to get added later or not at all. The design of security measures can also cause frustration by getting in the way of the wrong things, so people seek to minimize such features.
But information security matters; it is important. It matters to companies and their shareholders. It is of great importance to the general public, whose personal data is stored by the companies and organizations with which they interact (and by some with which they donâ€™t). We all hope our private files and email correspondence remain secure. The security industry and security professionals are the guardians of that personal information. They seek to frustrate bad guys such as Yâ€™nin and his ilk by employing standard ways of working and by deploying security technologies. Unfortunately, these efforts have not always been successful.
This chapter delves into some of the most apparent failures of information security. These topics often have a nuanced history. By discussing them in detail, we lay the groundwork for the first half of this book, in which we analyze the myriad factors that have allowed such failings in information security to occur. In the second half, we build on the sum of these observations to reveal what we believe must happen to improve the state of information security in the world, how those changes can be made, and who is in a position to make them. Everyone will benefit from these changes, from multinational corporations to individual consumers.
Many books about information security focus on an idealistic notion of what security should be, or they approach security problems from a purely mathematical or technological perspective. Our approach is to begin by looking at the state of the world and trying to understand why it is the way it is. We believe that only through a balanced, well-rounded understanding of the nature of problems can we begin to design solutions that are both effective and efficient. We begin our discussion with a widely visible failure of information security.