In the last few days The Ministry of Defence revealed it is set to recruit hundreds of reservists as computer experts to work alongside regular forces in the creation of the new Joint Cyber Reserve Unit (http://www.bbc.co.uk/news/uk-24321717). But is that enough?
Robert Hansen, technical evangelist of WhiteHat Security thinks not. He says: “One of the biggest issues we face is that the talent simply doesn’t scale. Even with a few hundred volunteers they can only test a few hundred sites a month, assuming that is all they do. That wouldn’t count things like setting up defences, helping to architect better security, or triaging hack events. Typical governments have many tens or even hundreds of thousands of web sites across all of their sub-entities. It simply doesn’t scale well, and thus far no government that I am aware of that has been under any meaningful attack has been able to defend themselves from breech. The Russians have moved to buying typewriters simply so that they can remove their information from the Internet – because they know how fragile and vulnerable anything on the net can be.”
Writing in his blog recently, Jeremiah Grossman, founder and CTO of WhiteHat Security outlined the timescale for security consultants – which is basically what these reservists would be, when searching websites for vulnerabilities. It illustrates the issue they’ll face. He explained, “A consultant would spend roughly a week per website, scanning, prodding around, modifying cookies, URLs and hidden form fields, and then finally deliver a stylised PDF report documenting their findings (aka “the annual assessment”). A fully billed consultant might be able to comprehensively test 40 individual websites per year, and the largest firms would maybe have as many as 50 consultants. So collectively, the entire company could only get to about 2,000 websites annually. This is FAR shy of the 1.8 million SSL-serving sites on the Web.”
You can read his full blog here:
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.