Watch the 4-minute video above or on YouTube, or read the transcript below:
dotmagazine: How sensible is the goal of perfect security?
Perfect security is obviously an academic definition of where we need to go. In real life it's a lot harder to reach any meaningful level of security – as everybody who has ever worked in security can attest to. Companies who try to achieve perfect security are usually over-regulating their own organizations. They are trying to make the impossible possible and thereby slowing everybody else down.
Setting a realistic expectation around security is fundamental to managing security. If you have never been hacked before, chances are you are trying too hard not to use new technologies, not to ever take any risks – and maybe not get hacked. However, not taking any risks is worse than a hacking incident could have been.
dot: So, how can companies balance security and innovation?
To balance innovation and security, first you've got to be aware of your current security level. If you've ever done any kind of pen testing or red team hacking, you understand that hackers can break in within a matter of days or at most weeks.
Within realistic expectations, let innovators innovate. Don't artificially constrain their ambitions.
When bringing about innovation, you must not aim for anything much higher than that. If you know that you can be hacked within, let's say, a week, build all the new systems to withstand hacking to, let's say, two weeks but not beyond that. Don't ask for protection from quantum computers, don't try to defeat the NSA. Don’t try to make the impossible possible, don't boil the ocean. Set realistic expectations. And within those realistic expectations, let innovators innovate. Don't artificially constrain their ambitions.
dot: How can a company improve their security when dealing with legacy systems?
If you have never been hacked before, chances are you are trying too hard not to use new technologies.
Companies usually respond to the understanding that legacy is a problem by trying to switch off old applications, and that in my experience has never really worked. Even though you can build a new company just based on a few dozen applications, larger organizations have accumulated hundreds of applications, and in one way or another rely on these applications. So instead of trying to prune that sprawl of applications, they should:
- prune the sprawl of technologies,
- modernize older applications,
- move from multiple database technologies to a single database technology,
- aggregate their middleware choices,
- introduce good meaningful architecture – not just for new applications but
- retrofitted on old applications.
So keep whatever functionality you need, but modernize the technology basis. That's the best way, in my experience, to deal with those vulnerabilities that automatically arise from legacy.
Dr. Karsten Nohl is a crypto specialist. His research areas include the security of mobile networks, payment systems, and other critical infrastructures. He studied electrical engineering in Heidelberg, and did his doctorate on the protection of privacy at the University of Virginia.
Karsten is Chief Scientist at SRLabs, a risk-management think-tank in Berlin and Hong Kong. He researches emerging risks for critical data and infrastructure; often through the testing of relevant hacking methods at DAX30 companies.
Karsten Nohl spoke at the Internet Security Days 2018 in September, organized by the eco Association.
Please note: The opinions expressed in Industry Insights published by dotmagazine are the author’s own and do not reflect the view of the publisher, eco – Association of the Internet Industry.