

Ask HN: What are the most important problems in Information Security today? - rakkhi

On Linked in someone was asking what topic they should do for a PHD [1] which got me thinking in the PG essay [2] he asks:<p>What are the most important problems in your field? 
Are you working on one of them? 
Why not?<p>My thoughts:<p>+ Quantifying risk - especially gathering an authoritative database of security incident information from a representative set of organizations around the world going back 10 years, looking at their peers who did not suffer incidents, looking at the threats, vulnerabilities and controls environments in all of them and then building a quantitative risk model based on this data. Not easy data to gather, especially getting non survey based but real cost data but this would be a major advancement to the field especially if the model and data was re-usable by most organizations<p>+ Transparent security - what security controls could be implemented in most organizations that provide the maximum risk reduction for the minimum cost and usability and productivity impact<p>+ Information centric security - innovative approaches to moving security controls closer to the information and away from the infrastructure. DRM is a good concept but implementations are broken [3], DLP is ok but has its problems also [4]. Can these be solved?
======
david_shaw
_Quantifying risk_ is an important aspect of information security; things such
as the Trustwave _Global Security Report_ and compliance numbers that are
released each year helps deal with providing an overarching picture of the
infosec landscape.

 _Transparent security_ , or at least your description of 'what security
controls could be implemented that provide the maximum risk reduction for the
minimum cost' is perhaps the very basis of the whole industry. Certainly not a
solved problem, but many best practices may be implemented that aim to achieve
this goal. For example, follow secure coding guidelines for developers, DMZ
important services, airgap networks for confidential data, patch solution,
firewalls/ACL's, etc.

 _Information centric security_ is an interesting category that I think
probably has the most room for growth out of the areas that you mentioned.
Some things are simple -- store password hashes instead of plaintext, encrypt
sensitive data whenever possible, implement rule of least privilege, etc.

The great thing about information security, to me, is that the landscape is
constantly shifting. Problems that the industry is facing today (APT, anyone?)
are nothing like they were even a few years ago. I can't say that I have a
definitive answer to your question (if I did, I'd be coding it myself ;), but
my advice would be to pick one very specific area and focus on it. Look at Dan
Kaminsky and DNS problems, for example.

Good luck, and kudos for trying to improve things :)

Oh -- one last thought before I go. Compliance (PCI, HIPAA, NERC) drives a
_lot_ of information security need. Creating a simple way to get compliance
checks in order not only provides business to the infosec industry, but could
relieve a major headache for organizations that need to be compliant.

------
rakkhi
Links:

[1] <http://linkd.in/eF6glj>

[2] <http://www.paulgraham.com/procrastination.html>

[3] <http://www.rakkhis.com/2010/08/making-drm-practical.html>

[4] [http://www.rakkhis.com/2010/07/practical-lessons-learned-
fro...](http://www.rakkhis.com/2010/07/practical-lessons-learned-from.html)

