Security News Roundup: The Demise Of The Human

With the US version of the RSA conference in full swing this week, we’re pleased to be able to present some signal despite the noise.

It turns out that China is being hacked by the US. There, we said it. As they say, it takes two to tango, so we presume this comes as no great surprise to anyone. Except for governments outside of the US and China, who are no doubt feeling a little “hacker envy” right now. Don’t worry, one of the big guys will get round to you eventually.

The age-old “my system is more secure than your system” arguments still rage on.  In the latest twist to this interminable, intractable and possibly uninteresting discussion, a Microsoft partner has claimed that Microsoft software is better patched than Linux software, under certain circumstances, with consideration given to other factors. All we can say is that we absolutely agree with that finding. Whatever it was.

Anyway, non-patches are not the only threat to security. Encryption experts agree that the current trust-based system of Certificate Authorities (the entities who digitally vouch for the authenticity of millions of  web servers) is not working as well as hoped, and should be replaced. Apparently, we need a system where people can choose who to trust. In other words, replacing one system that fails due to fundamental human weakness, with one where humans can make even more uninformed choices. That should work like a charm.

Speaking (indirectly, at least) of Achilles and his infamous heel, the word of the week is “sisyphean”. Of course we didn’t have to look it up; we instantly recognised that other Greek mythological reference which equates the task of doing proper security with the task of repeatedly pushing a giant boulder up a hill only to watch it roll back down again.  Many readers will no doubt identify with that job description. Have no fear, help is at hand.

In the future, big data analytics and advances in machine learning will decide on our behalf what is friend, and what is foe. We simply don’t need to get involved. Perhaps the encryption experts we mentioned earlier have got it wrong – we shouldn’t be permitted to make trust-based decisions; as a species we’re simply not evolved enough to spot digital predators. A sobering thought, for sure.

But then, whilst we’re in the mood for classical references, Quis custodiet ipsos custodes?

Useful links:

Get the most from GDPR penetration testing

Sample PCI DSS Penetration Testing Policy

Sample PCI Penetration Testing Procedures

Leave a Reply