
morning with the news of just how large the Google break in was, and
the sheer number of company’s and computers compromised in the latest
round of attacks. Nothing says “Information Security Failed” more than
this simple number, 2,500 companies, 75,000 computers and counting, and hundreds of thousands of pieces of private information.
For once, I am not going to rant on how we all fail at information
security. What I am going to do is talk about the need for national
level oversight and certification for information security people. One
that will have enough teeth in it that we can learn and fix information
security problems, from the software manufacturers on down to the end
user who clicked a link or went to a compromised computer and opened a
compromised file. Information security is not just some engineer or
analyst sitting in a cube somewhere in the building. Rather Information
Security is a chain of trust that works on the principle of “until I
have no reason to trust you” from the top to the bottom of the
industry.
Regardless of how it happened, some say adobe, some say people
clicking on links and getting infected, some say this or that, the
problem is that the whole chain of trust for computing systems from end
user to software manufacture is basically broken. No amount of training
seems to work, no amount of patching and updating seems to work, every
day I see thousands of people who have had their computer broken into
or data lost because of malware. The first computer virus showed up in 1981
and we are still no better able to defend ourselves today than we were
back then. It has been 29 years and we have seen the potential of
computer malware to disrupt lives and data but we are no better off
today than we were back then.
Solving the problem of computer crime and malware is looking a lot
like the efforts to cure cancer. We have great ideas, we have excellent
training, we have techniques and tools but still we are dealing with
cancer or malware. We are little better off today than we were 29 years
ago. This tells me that the system, the entire system is broken. From
manufacture through the end user we are simply applying technique after
technique, gateway after gateway and in some cases being successful in
eliminating the simpler forms of malware but the really tricky ones are
the ones that are causing us as an industry the most pain.
We truly need a national level program or professional society at
this point to ensure that we are creating the right kind of security
engineers because nothing says that our industry fails like the current
state of botnets and malware running rampant.
We truly need a way to ensure that the software developed today is
fixed in a timely manner and at this point we might just need a
national oversight with the ability to enforce good code methods as a
matter of national security as part of that.
We truly need to start teaching our kids from the first time they
pick up a computer that bad things can happen as a matter of course. We
teach “stranger danger” “don’t touch that will burn” and a ton of other
useful lessons to our children about a great many things. The internet
should be part of that national level focus of computer safety and
security at the K-12 level and continuing on through their college and
work careers.
At this time the system is so fundamentally broken with so many
lives disrupted and so many companies losing information that almost
every system should be considered compromised at some level. Maybe at
this point national level security requirements and education/training
should become part of the information security landscape, and maybe
just maybe we need a national level professional society to ensure the
people we hire into information security are truly capable in helping
keep information and people safe.
(Cross-posted @ IT Toolbox )
I read your frustration and aggravation in your blog post because no doubt you spend on average $300 per PC/Laptop per year to protect your system. Setting up a national CIA or FBI type system for cyber criminals is still not going to solve the problem. Securing your computer is no different philosophically than steps you take to secure your home and children. Children and homes are compromised on the order of magnitude if not greater than 75,000 and counting daily. If we cannot solve that, then we are not going to solve cyber crime either. Protect yourself the best you can and be vigilant.
As an example: I applied for a job at West Communications via their Web site yesterday. Several hours later I receive an email from their HR department requested information about me to see if they would be eligible for a tax credit to hire me. You follow a link in the email and the form asks you for your SSN#!!!!!!!! It’s not even a secure site!!!!!! You and I both know that there are going to be applicants who complete this form providing their SSN number.