The next step in IT security after Snowden - Prof. Dr. Norbert Pohlmann

Norbert Pohlmann  (Institut für Internet-Sicherheit):,
„The next step in IT security after Snowden“.
In Proceedings „2nd International Communication Colloquium“,
Ed.: C. Ruland,
Shaker Verlag
2014

The Internet with its many innovative opportunities became a continuously growing relevance in our modern society. Through advanced software solutions and complex correlations between protocols, services and infrastructures, vulnerabilities of Internet technologies are becoming more
diverse and much larger than ever before. Attacks on high values within IT systems and their availability are executed more distributed, sophisticated and professional. There is also a noticeable industrialization of cybercrime, resulting in a professionalized sustainability, which is not to be underestimated and which has never existed before. Some particularly striking security problems, arising from the critical assessment of the current IT security situation, could be solved by appropriated paradigm shifts.

Over the period of time our IT security problems have become bigger and bigger not smaller. The problems have become even greater with the NSA affair. So the risk-level is constantly rising. But, what are the biggest IT security problems we have to handle at the moment?

First IT security problem: “Too many software vulnerabilities”
Software represents an evolving portion of added value in all sectors. It is used in PCs, Notebooks, Smartphones, large datacenters, but also increasingly in cars, industrial plants, critical infrastructures, houses, and similar application areas. A major security problem is the amount of
software vulnerabilities. The software quality of operating systems and applications is for today’s threat landscape no longer sufficient. Currently, the error density averages 0.3, referring to the number of bugs per 1.000 lines of code in high quality software. Since common operating systems
consist of about 10 million lines of code, there are about 3.000 errors to find. Parts of them represent potential targets for attacks. The software companies do a lot to decrease the number of vulnerabilities in their software. Nevertheless, criminal organizations are still able to exploit this
smaller number of vulnerabilities very professional. And this situation will not change in the near future. The opportunity to use these vulnerabilities in software is too easy.