Older research that has not fixed general problems should not be forgotten in the face of new challenges.
Speaking to SC Magazine, James Lyne, global head of security research at Sophos, said that older research is often left and not completed in favour of new and exciting research, meaning that old problems do not get fixed.
Lyne said: “We as a community need to talk about older problems. It is a problem in the industry as people really want to talk about what is news and I want to show the community that we need to focus on fixing stuff.â€
Focusing on WiFi security, Lyne said that “some of this stuff is five years old but security researchers are all about the new and the latest trendsâ€.  He called on the security industry to learn and recover old security topics, especially as it is so easy to lose touch with the man on the street.
“We have to find ways to dress up old problems, but not to the detriment of the public. New technology that focuses on processes is all well and good, but we need to bring that back to enable users to put trust in technology,†he said.
In research conducted that involved him 'warbiking' last year in London, Lyne found of almost 107,000 wireless hotspots in the capital, eight per cent used no encryption, 19 per cent of the hotspots used WEP encryption, while the other 81 per cent used WPA or WPA2 encryption. In research from late 2009, TalkTalk found that in a street in Stanmore, Middlesex, of 68 WiFi connections found on the road, only one used the strongest available security (WPA2). The majority (65 per cent) used WPA.
Andrew Barratt, director of professional services Europe at Coalfire, said he agreed with this principle, especially as there is definitely a “skewed focus†by the security research community on zero-day findings.
He said: “These have become a bit like industry Kool-Aid and in fact a lot of the large organisations I've worked with over the years consider them an almost unmanageable risk - within sensible budgets at least. With it becoming widely known that the military weaponise them (Stuxnet, Flame etc.), they have a high value for a while, so the researchers are incentivised in some respects to continue down that path.
“The problem in some in cases is that the old problems are not necessarily ‘hard' in the same sense, but vast in solution delivery, requiring quite large engineering or implementation issues to be overcome - those are less interesting to the hacker community. Nobody is going to get a Black Hat slot by saying ‘on principle, we disabled insecure wireless on all our devices to stop people doing silly things, then patched all in-the-field kit globally'.â€
However, Tim Anderson, commercial director at Portcullis Security, asked why any researcher would spend time working on something that is old hat, or has no commercial benefit for their company or community.
He said: “The business doesn't understand security, while security people are not spending time attempting to discuss the business cost to security as they are not business people, so it gets ignored as it is not interesting to business.
“New research would get interest at the business level, and if you are seen to be doing cutting edge research as you help your clients. Why consultants do research is to: learn new skills; attract new talent; keep new talent; and attract clients and prospects.
“If you are doing something old, you won't be doing the first three of these.â€
