“Information security means working with how things are, rather than how you want them to be.”
We’ve all heard the apocryphal tale about the lost traveler asking for directions in a remote country village. You know the one: our traveler is hopelessly lost, the streets are empty. Just as his frustration seems complete, an elderly man comes along. “Thank goodness!” exclaims the traveler. “Can you direct me to Manchester road please?”
“Well lad” says the old man, rubbing his chin thoughtfully “I wouldn’t start from here”.
Information security means working with how things are, rather than how you want them to be. This isn’t an excuse for poor security, rather it’s an attempt to appreciate how challenging it is to get it right.
It was interesting to read one Gartner analyst’s comments on the recent $45 million ATM heist where prepaid cards were stolen and used to withdraw cash:
“When these payment systems were implemented and developed, no one thought about internet security and now they are accessible through the internet”
This is indeed true. Most card-based payment systems pre-date public internet usage. These systems are, for the most part, firmly in the “legacy” category. Everyone seems comfortable with the idea that legacy systems are inherently less secure because they were not designed to address modern security issues.
However such views should not be used to form a handy excuse when things go wrong.
But if it’s true, why not? Let’s go a little further and consider a much more recent addition, Bitcoin.
Bitcoin is a decentralised digital currency traded through a series of on-line exchanges. It does not use or require any financial intermediary such as a bank, and payments occur using a peer-to-peer model. Bitcoin is therefore an internet-only ecosystem where robust security has been built in from the ground up.
Why then, have there been numerous frauds and thefts involving Bitcoin?
“A legacy system is one that is in production”
Perhaps the deeper answer lies in defining what a “legacy” system is. The best definition we’ve ever heard is “a legacy system is one that is in production”. In that case, both Bitcoin and older, traditional systems are legacy systems.
In fact every system is a legacy system, complete with all the ensuing security issues, both known and unknown. The ongoing challenge is therefore to continue to assess and react to an ever changing security landscape, no matter how well we think we’ve done in the past, or how resistant we think we are to attack in the present.
It is often said in our industry that security is a journey, not a destination. We can only continue that journey from where we are now.