Twenty years ago who would have imagined the possibility of renting teams of computers that could collectively target and attack specific businesses and organisations. That organised crime and even drive by hackers would have the ability to use DDoS (distributed denial of service) attacks to extort money by threatening to prevent legitimate customers being able to access a business or organisation from the net. This is a reality today.
Hacking kits on the net are freely available instructing moderately able individuals on how to use and abuse vulnerabilities within applications and operating systems. As these new vulnerabilities become public, then the time individuals are able to develop new exploits is reducing facts provided by several notable sources.
This generally means that we have less and less time. Now its days rather than weeks, to plug and patch these holes.
Viruses, parasites and worms; these are all biological terms that can damage the organic world. Nevertheless we have, to some degree, become immune from such things building up a set of defences that protect ourselves from these organic attacks. How so? Because we use preventative techniques: healthy food, clean water, immunisations and regular check ups to keep ourselves healthy and aware of our state of health. The sensible ones among us also take advice from medical practitioners, guiding our thinking and actions in order to maintain a healthy status quo.
It would be interesting to consider whether we exploit similar thinking strategies in our networked community and, if we did, what these strategies would be?
It could be argued that security is only as strong as the weakest point within an organisation, and that if someone was able to store child porn on someone elses website or inside another person's business, then this is exactly what he or she would do.
In fact, this is exactly what has does happen, will happen and continue to happen if we dont operate is such a way that puts healthy prevention at the top of our agenda.
Insecure code creation is often targeted as a key justification as to how and why we have the problems we face today encouraging, if you will, the ease of exploitation and the ease of abuse. This, I think, is too easy an explanation, blaming developers is simple. Developing secure techniques at code creation time and educating students within universities in these disciplines is harder. But this strong preventative measure is certainly required, but sadly in most cases such initiatives dont exist.
I have argued, discussed and debated (for quite some time) the fact that protective and preventative measures are key when building secure infrastructures for businesses. That is to say, there must be enough security to protect and enable cost effective business operation. Walking this tight-rope is never easy as the pressures on time and the speed of change are allegedly said to colour our thinking with respect to security.
That said, we all have a responsibility to get on board and, collectively, allow suppliers, developers, IT, business and security professionals to work together to build supportive security architecture.
Security threats will increase at rates that will intimidate the frail. Viruses, exploits, Malware, DDoS are here, but its what we do about them that is important.
New ones have arisen: SPIM instant message spam; Phishing - identity spoofing. These exploits, that encourage users to provide banking details to criminals, are now common. What we need is a plan of action that places the onus on us all to play our part in building the solution.
Code writing and code development requires the gathering of business requirements, requirements that should include security constructs. We need to understand the risks to our IT and business environments and adjust our requirements accordingly.
We need policies, procedures, standards and guidelines that build a healthy IT infrastructure and we need audits that health check where we are relative to the bugs we have around us. We need to work together collectively owning the problem not pointing fingers and just being honest to admit when we have failed to deliver healthy structures.
Education and awareness is our key issue so all the technology and code available too us probably counts for little if we use it ineffectively. Secure code, that is, secure business code, is foundational and is a baseline defence and protection mechanism. Students need to be educated at source!
Lastly, in order to maintain the security status quo we need to collectively manage our environment, detecting and eradicating potential ills. Ills that could be deadly, time and money costly need our attention because they certainly have the focus and attention of a new breed of criminal.