“This area lacks precision and science,” he says. “It’s mostly ad- hoc. It’s not like building a physical system, like a bridge, where you can estimate its lifespan, capacity and ability to resist wind. There’s no metric to security. You can’t apply mathematical formulation and rate the security of a system. Imagine if we had that, you’d be able to make rational decisions over which system and security is better. If we had that ability, then problem solved.”
So, as users await algorithms that could be decades away, Stolfo says the security industry must up the ante, drop conventional wisdom for a moment and think like a contrarian. An idea Stolfo suggests is what he calls “fog computing”, in which infected organisations mix decoy data with actual data that the attackers are trying to hijack.
“Let them break through – because they’re going to break through – and then give them something that’s going to poison them,” Stolfo says.
This tactic accomplishes two things: First, organisations limit the amount of real data that leaves their walls and, second, arguably more importantly, they are able to measure the course, cost and effort of the adversary.
Looking at the success of advanced malware from a more macro level, perhaps the celebrity hacker subculture partially also is to blame.
Marc Maiffret believes it is.
He says events such as the annual Black Hat Briefings conference, in which speakers often parade to the stage like famous stars to present their zero-day findings, contributes to a lack of interest in defensive disciplines.
Maiffret is no stranger to the stardom that can be cast on a hacker prodigy, having discovered big vulnerabilities in Microsoft products, including the hole that enabled the Code Red worm, before he was even old enough to drink. In 1999, he was featured on MTV’s True Life: I’m a Hacker and later was named to People’s 30 People Under 30 list.
But after a while, the allure of finding security bugs grew old.