Older research that has not fixed general problems should not be forgotten in the face of new challenges.
Speaking to SC Magazine, James Lyne, global head of security research at Sophos, said that older research is often left and not completed in favour of new and exciting research, meaning that old problems do not get fixed.
Lyne said: “We as a community need to talk about older problems. It is a problem in the industry as people really want to talk about what is news and I want to show the community that we need to focus on fixing stuff.”
Focusing on WiFi security, Lyne said that “some of this stuff is five years old but security researchers are all about the new and the latest trends”. He called on the security industry to learn and recover old security topics, especially as it is so easy to lose touch with the man on the street.
“We have to find ways to dress up old problems, but not to the detriment of the public. New technology that focuses on processes is all well and good, but we need to bring that back to enable users to put trust in technology,” he said.
In research conducted that involved him 'warbiking' last year in London, Lyne found of almost 107,000 wireless hotspots in the capital, eight per cent used no encryption, 19 per cent of the hotspots used WEP encryption, while the other 81 per cent used WPA or WPA2 encryption. In research from late 2009, TalkTalk found that in a street in Stanmore, Middlesex, of 68 WiFi connections found on the road, only one used the strongest available security (WPA2). The majority (65 per cent) used WPA.
Andrew Barratt, director of professional services Europe at Coalfire, said he agreed with this principle, especially as there is definitely a “skewed focus” by the security research community on zero-day findings.
He said: “These have become a bit like industry Kool-Aid and in fact a lot of the large organisations I've worked with over the years consider them an almost unmanageable risk – within sensible budgets at least. With it becoming widely known that the military weaponise them (Stuxnet, Flame etc.), they have a high value for a while, so the researchers are incentivised in some respects to continue down that path.
“The problem in some in cases is that the old problems are not necessarily ‘hard' in the same sense, but vast in solution delivery, requiring quite large engineering or implementation issues to be overcome – those are less interesting to the hacker community. Nobody is going to get a Black Hat slot by saying ‘on principle, we disabled insecure wireless on all our devices to stop people doing silly things, then patched all in-the-field kit globally'.”However, Tim Anderson, commercial director at Portcullis Computer Security, suggested that researchers don't want to spend time working on something that is old hat, if it has no commercial benefit for their company or real interest to the security community..
He said: “Many businesses still don't understand the potential cost of much of the older security issues, and security people are not discussing the business cost as they are not business people. That may also be why older issues get ignored.”
“New research gets interest at the business level, and if you are seen to be doing cutting edge research you help your clients. Why many security consultancies do research is to: improve their skills; attract new talent; keep existing talent; and attract clients and prospects.”
“If you are doing something old, you may not achieve the first three of these.”