Myth of Superuser Debate: Dispelling Myths about the Myth

Featured Resource:

In case you haven’t heard, there is something of a flap about the “myth of the superuser” (aka superhacker) and the security industry overselling the problem of cybercrime. (See The Myth of the SuperUser and The Myth of the Superuser, and other frauds by the security community .

While there is some truth in these arguments there are a number of significant flaws which could leave the reader with an inaccurate impression of the state of information security.

First, there is a claim that security experts ignore risks and probabilities of threats. From the Myth of the SuperUser, we hear

In stark contrast, experts in the field of computer crime and computer security are seemingly uninterested in probabilities. Computer experts rarely assess a risk of online harm as anything but, “significant,” and they almost never compare different categories of harm for relative risk. Why do these experts seem so willing to abdicate the important risk-calculating role played by their counterparts in other fields?

Yes, not everyone in the security field uses formal risk analysis as much as they should but the idea that risk analysis has no role in computer security is false. A quick search of the IEEE Security and Privacy journal finds articles likes Considering Operational Security Risk during System Development, Introduction to Identity Management Risk Metrics, Why Johnny Can't Evaluate Security Risk, Minimizing Security Risks in Ubicomp Systems, Security Meter: A Practical Decision-Tree Model to Quantify Risk, Technology and Web User Data Privacy: A Survey of Risks and Countermeasures, Toward Econometric Models of the Security Risk from Remote Attack, Risk Analysis in Software Design, and the list goes on but you get the point. The claim that security experts ignore risk is a myth, we just need to read the literature to see that.

Second, the writer of the Myth post claims:

Superusers inhabit the Internet, but they are often so uncommon as safely to be ignored.

Superusers, aka super hackers, are asymmetric threats – one can do much damage to many others. Look for example, at the data gathered by Google on Web-based malware described in The Ghost in the Browser: Analysis of Web-Based Malware on the high incidence of Web-based threats. These are not necessarily the product of a broad community of attackers but the origin of the malware does not minimize its threat.

Next, we should not split semantic hairs about “Internet superusers.” TJX, for example, was compromised by weaknesses in wireless network security. It seems the attackers didn’t need to use the Internet. Had TJX taken Internet threats more seriously and invested in security, they wouldn’t be facing massive lawsuits left to pay for the fraud and their stock would not be dropping in response to the breach.

I agree the security business tends toward hyberbole. The Myth of the Superuser just shows it can go both ways.

Recent Posts

Dan Sullivan's Bio:

Dan Sullivan is a systems architect with 20 years of IT experience that includes engagements in enterprise security, application design, and systems architecture. His experience includes a broad range of industries, including financial services, manufacturing, government, retail, gas and oil production, power generation, and education. Dan’s security-related project work has ranged from requirements analysis for enterprise information security to designing and implementing security for database applications and enterprise portals. Dan has written about information security and other enterprise information management topics for Business Security Advisor, DM Review, Intelligent Enterprise, and E-Business Advisor. You can contact Dan at: dan_sullivan@realtimepublishers.net

Site Sponsor:

Now Available:

Featured Resource:

Realtime Communities

Newsletter

Monthly Archives

RSS

Ask the Expert