The Financial Times reports that it was 20 years ago this month that the first computer virus was discovered. As a plain English overview of the IT security threat and how it has escalated this article is hard to beat. I recommend that every CIO and IT manager prints it off and gives a copy to his CEO.
Information security is supposed to be a business enabler. Information security is supposed to be a business issue, not a technology one.
What this means is that, by ensuring the availability, confidentiality and integrity of information, organizations should be able to improve their effectiveness and enable themselves to use today’s electronic and communications media more competitively.
So far, so clear.
We all know that the electronic world is full of dishonest and nasty people, people whose idea of fun is creating and despatching worms, Trojans, viruses and assorted adware and spyware; we know that stealing data has become more than just a cottage industry; and we know that organizations must take steps to combat today’s mutating threats by implementing multi-layered vulnerability protection strategies.
In responding to the threats, many organizations have lost sight of the idea of ‘enablement’. Defences have been erected and are continuously ratcheted up in response to new threats, and as new technology becomes available.
But nobody bothers talking to the users, the people who are meant to be ‘enabled’ through the use of technology, the people at the business coalface, who are dealing every day with the changing competitive pressures and opportunities of commercial survival in the 21st Century. If they did, they would discover that users are becoming more and more inventive at finding ways of bypassing these controls - while it seems barmy to have go home, use your personal computer to surf the net to find the information that you want, download it to a USB stick, take your USB stick to work and then upload the information to your computer, this is what more and more people are doing - because it’s the only way left for them to get the information they need to actually do their jobs!
Of course, the organization is just as exposed to what may be residing on the site from which that determined employee downloaded the data - but they’re unlikely to have appropriate defences in place. Sooner or later, they’ll make the necessary investment to close off this loophole - and the workers will have to come up with a new way to get round the technology in order to get on with their jobs.
There is an alternative, far less expensive, far more business-focused, option: businesses could decide that business management - not the IT department - should determine what controls are appropriate - and the good news is that the number of organizations who take that approach is growing (just look at the growing number of BS7799 certified organizations) and, sooner or later, those that stick with the technology-age version of ostrich behaviour will go out of business.
It’s quite frustrating waiting for that to happen, though!
Like I said before, as Firefox gains market share, so the Malevolency will start targeting it - they may be proof of concept viruses and Mozilla may have issued updates a bit quickly - but, rather like the browser some of you love to hate, it’s ever clearer that Firefox has vulnerabilities that will be exploited as more of you take it up - you’ve just go to hope that Mozilla can do half as good a job as the other crowd at cranking out updates….
Wireless insecurity has been in the press during the last week - the Sunday Times (March 6, 2005) spoke of a ‘virus epidemic’ threatening to wipe mobiles’ memories, while SC Magazine and Computing both report the astonishing absence of security in one third of the City’s wireless networks.
Why are there these failures?
OK, Cellphone “virus epidemic” is a bit of journalist panic-mongering; while Cellphone viruses have, indeed, been reported from a number of countries, there still aren’t a great many species (three, I think) and they still aren’t spreading terribly quickly - not 100,000 devices affected in 24 hours, but maybe 100 affected in a number of months. Sure, now’s a good time to be looking at Cellphone level anti-malware products, but it’s not yet time to panic.
Wireless, though, is a different matter. Who in the computer world doesn’t know that WiFi kit, out of the box, has no security configured? Who, in the computer world, thinks that security is important on the fixed network but not on (or for) mobile devices? Who is accountable for employing the computer ‘experts’ (the IT staff) who allow wireless laptops to be issued to staff - or, worse, allow wireless Access Points to be set up, without appropriate security?
You can sympathise with those employees who’ve taken with enthusiasm to the wireless world beyond their organization’s fixed perimeter: it’s great to not have the heavy-handed system administrator telling them what they can and can’t do. What is surprising is that sysadmins allow this state of affairs - or that their managers and executives turn a blind eye to it.
Because they are turning a blind eye, aren’t they? The alternative is that they’re just incompetent simply don’t know that wireless security is an issue, or that they’re supposed to do something about it.
The US CERT web site started the year showing, on its summary of the most frequent, high-impact security incidents, eight exploits that are not all completely new. MyDoom, Bagle and Sasser are all names that are recognizable from 2004, Zafi and Sober have been around for a bit, and only the Santy worm is a recent addition.
While the names are all recognizable, these are not the original exploits - they are variants. Virus writers continue to tweak these things to bypass the protection that organizations install and to exploit new software vulnerabilities. This threat becomes more serious when one realises that virus writers, hackers and spammers are increasingly co-operating to create networks of zombie computers (’botnets’) and bypass computer defences.
The answer to every single one of the exploits identified by CERT is a combination of installing anti-virus software, keeping it updated and applying software patches as and when Microsoft release them. I guess the fact that these exploits are still so prevalent is clear and damning evidence that there are still too many organizations - and private individuals - who are still not current on either.
Isn’t it about time we started treating unpatched, unprotected computer users the same way that we treat drunk drivers?
2005 will be the year that more organizations crash and burn through inadequate information security and IT governance practices - more IT projects will go wrong, more malicious incidents, more organised crime frauds and some serious terror attacks, along with even more viruses and increasingly clever spammers - remembering that 80% of organizations never recover from a serious business interruption (fire, fraud, terrorism, etc), the turn of the year is a good time to re-think security postures.
The revised and updated ISO 17799, due out in Spring 2005, will not, on its own, save many organizations - what will save organizations is directors and boards making a conscious effort to put information security on their board agendas and to keep it there throughout the year - and keep it there while they make sure that their organizations are tackling IT projects and information security strategically and systematically.
