[attrition] Outgunned: How Security Tech Is Failing Us

security curmudgeon jericho at attrition.org
Mon Oct 11 17:42:13 CDT 2010 

http://www.informationweek.com/news/security/antivirus/showArticle.jhtml?articleID=227700360

Outgunned: How Security Tech Is Failing Us

Our testing shows we're spending billions on defenses that are no match 
for the stealthy attacks being thrown at us today. What can be done?

By Greg Shipley
InformationWeek
October 9, 2010 12:00 AM (From the October 11, 2010 issue)

Information security professionals face mounting threats, hoping some mix 
of technology, education, and hard work will keep their companies and 
organizations safe. But lately, the specter of failure is looming larger.

"Pay no attention to the exploit behind the curtain" is the message from 
product vendors as they roll out the next iteration of their all-powerful, 
dynamically updating, self-defending, threat-intelligent, risk-mitigating, 
compliance-ensuring, nth-generation security technologies. Just pony up 
the money and the manpower and you'll be safe from what goes bump in the 
night.

Thing is, the pitch is less believable these days, and the atmosphere is 
becoming downright hostile.

We face more and larger breaches, increased costs, more advanced 
adversaries, and a growing number of public control failures. Regulation 
and litigation have both increased. We're still struggling with the 
expensive PCI initiative, an effort as controversial as its efficacy is 
questionable--U.S. businesses continue to hemorrhage credit card numbers 
and personally identifiable information. The tab for the Heartland Payment 
Systems breach, which compromised 130 million card numbers, is reportedly 
at $144 million and counting. The Stuxnet worm, a cunning and highly 
targeted piece of cyberweaponry, just left a trail of tens of thousands of 
infected PCs. Earlier this month, the FBI announced the arrest of 
individuals who used the Zeus Trojan to pilfer $70 million from U.S. 
banks. Zeus is in year three of its reign of terror, impervious to law 
enforcement, government agencies, and the sophisticated information 
security teams of the largest financial services firms on the planet.

[..]

More information about the attrition mailing list