Home / Blogs

Why I Wrote ‘Thinking Security’

I have a new book out, Thinking Security: Stopping Next Year’s Hackers. There are lots of security books out there today; why did I think another was needed?

Two wellsprings nourished my muse. (The desire for that sort of poetic imagery was not among them.) The first was a deep-rooted dissatisfaction with common security advice. This common “wisdom”—I use the word advisedly—often seemed to be outdated. Yes, it was the distillation of years of conventional wisdom, but that was precisely the problem: the world has changed; the advice hasn’t.

Consider, for example, passwords (and that specifically was the other source of my discomfort). We all know what to do: pick strong passwords, don’t reuse them, don’t write them down, etc. That all seems like very sound advice—but it comes from a 1979 paper by Morris and Thompson. The world was very different then. Many people were still using hard-copy, electromechanical terminals, people had very few logins, and neither defenders nor attackers had much in the way of computational power. None of that is true today. Maybe the advice was still sound, or maybe it wasn’t, but very few people seemed to be questioning it. In fact, the requirement was embedded in very static checklists that sites were expected to follow.

Suppose that passwords are in fact terminally insecure. What the alternative? The usual answer is some form of two-factor authentication. Is that secure? Or is two-factor authentication subject to its own problems? If it’s secure today, will it remain secure tomorrow? Computer technology is an extremely dynamic field; not only does the technology change, the applications and the threats change as well. Let’s put it like this—why should you expect the answers to any of these questions to remain the same?

The only solution, I concluded, was to go back to first principles. What were the fundamental assumptions behind security? It turns out that for passwords, the main reason you need strong passwords is if a site’s password database is compromised. In other words, a guessed password is the second failure; if the first could be avoided, the second isn’t an issue. But if a site can’t protect a password file, can it protect some other sort of authentication database? That doesn’t seem likely. What does that mean for the security of other forms of authentication?

Threats also change. 21 years ago, when Bill Cheswick and I wrote Firewalls and Internet Security, no one was sending phishing emails to collect bank account passwords. Of course, there were no online banks then (there was barely a Web), but that’s precisely the point. I eventually concluded that threats could be mapped along two axes, how skilled the attacker was and how much your site was being targeted:

Your defenses have to vary. Enterprise-scale firewalls are useful against unskilled joy hackers, they’re only a speed bump to intelligence agencies, and targeted attacks are often launched by insiders who are, by definition, on the inside. Special-purpose internal firewalls, though, can be very useful.

All of this and more went into Thinking Security. It’s an advanced book, not a collection of checklists. I do give some advice based on today’s technologies and threats, but I show what assumptions that advice is based on, and what sorts of changes would lead it to change. I assume you already know what an encryption algorithm is, so I concentrate on what encryption is and isn’t good for. The main focus is how to think about the problem. I’m morally certain that right now, someone in Silicon Valley or Tel Aviv or Hyderabad or Beijing or Accra or somewhere is devising something that 10 years from now, we’ll find indispensable, but will have as profound an effect on security as today’s smartphones have had. (By the way—the iPhone is only about 8 years old, but few people in high-tech can imagine life without it or an Android phone. What’s next?) How will we cope?

That’s why I wrote this new book. Threats aren’t static, so our defenses and our thought processes can’t be, either.

By Steven Bellovin, Professor of Computer Science at Columbia University

Bellovin is the co-author of Firewalls and Internet Security: Repelling the Wily Hacker, and holds several patents on cryptographic and network protocols. He has served on many National Research Council study committees, including those on information systems trustworthiness, the privacy implications of authentication technologies, and cybersecurity research needs.

Visit Page

Filed Under

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Comments

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

Related

Topics

Cybersecurity

Sponsored byVerisign

Domain Management

Sponsored byMarkMonitor

IPv4 Markets

Sponsored byIPXO

Brand Protection

Sponsored byAppdetex

Domain Names

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API