People as the Weak Link in Cybersecurity: Deep Dive Edition

People, it is often said, are the weak link in computer security. Its people falling victim to myriad social engineering techniques that help evil doers overcome technical defenses that lead to data breaches.

Yes and no.

It is true that stupid human tricks lead to a disturbing number of system compromises, but as Veracode points out in their annual State of Software Security Reports, the failings of humans when it comes to security starts much, much earlier.

tl;dr – Most code sucks when it comes to security. This should come as no surprise to anyone who has been involved in security longer than a day. What’s surprising is that most code written for security products is just as bad as that of run-of-the-mill applications. In the words of Veracode:

We don’t need more security software. We need more secure software.

How do we fix this (if that’s even possible)? People have proposed licensing and certification schemes before, but none of that is likely to occur as long as industry believes there is a talent crunch. Bugs are quite literally as old as software itself so it is unlikely at this late date that the world will turn on a dime and start worrying about quality.

Once again, as mere users of computer technology, you have one realistic hope when it comes to dealing with digital threats: preparation.

Every product you use works to a degree; once that degree is reached failure is inevitable. You will get hacked because someone who knows more about your own systems than you do will find the flaw that leads to unauthorized access and the will exploit that access to maximum effect. This effort will cost them hours and dollars; you will suffer for weeks and it could cost you millions because you have not adequately prepared for the inevitable. Yes, you  have a plan: its sitting in a giant three-ring binder in the corner holding open the door. The last person who read it was the guy who put it together and he left three years ago. That’s preparing to fail.

We know when things you’re running fall victim to attack. We’ll tell you faster than anyone else, and give you a way to deal with the problem to boot. We’ll do this in a way that is unobtrusive and has no discernible impact on system performance. Take a few minutes to find out just how much better life with a Red Canary hanging in your office can be.