U.S. Vice President Dick Cheney was recently on NBC's Meet the Press where he said that the inevitability of another terrorist attack on American soil is as sure today as it was September 12.
Officials have publicized a "vague" and "unsubstantiated" threat against the water supply in central Florida and have reported that still other threats have been made that target apartment complexes across the country.
At the same time all this stuff is being expressed to the American people, reports have surfaced that the executive branch of the U.S. government was forewarned about the tragedy that struck on September 11. Officials in the executive office and, yes, even the president, have been reported to know that a group of terrorists were going to use planes to collide with the WTC.
The idea that someone in the government possibly had some inkling of what became a devastating terrorist attack is certainly jarring. Yet, such a report still prompts me to question why people are so surprised by this. Osama Bin Laden had been making his mark on American outposts all over the globe. Of course the U.S. government knew that this man and his team of cultish, unthinking followers would soon hit us on our own turf. What the potentially awful truth could turn out to be in regard to this situation is that the government chose not take some preventive measures to try and save lives - that is, if their foreknowledge of the attacks was such that they would have had time to mobilize. (It's likely they did have some time given all the reconnaissance that the FBI and CIA are purported to undertake, but maybe they were too disorganized to actually form some plans in response to various findings. Who knows and, really, who will ever know?)
So, now Cheney and Bush are doing the let's-be-friends-with-the-reporters dance and are releasing vague shadows of threats on apartment complexes and water to the public at large. Officials are beefing up security at various water supply stations and are trying to obtain more details to aid in making such preventive security efforts more strong.
While I have loads of opinions that I'm just dying to vent on our government and the bevy of issues surrounding our war on terrorism, these are inappropriate to share in an IT security column such as this. However, I provide the brief notes above to illustrate a point that applies to infosecurity: knowledge and prevention go a tremendous way in doing battle and, perhaps, coming out the victors of said battle when tangling with terrorists or, in the cyber realm, hackers and other modern day IT threats.
Yet, complacency still remains one of the biggest problems among businesses using the Internet, email, web applications, Intranets, and a plethora of other advanced IT technologies today. For example, McAfee Security, a division of Network Associates, recently showed in a study conducted by Vanson Bourne that U.K. businesses are failing to understand that security is a process, not an end point. Organizations have developed the sense that security measures they already have in place are sufficient in keeping their IT resources safe. Still, 82 percent of companies have been hit with some virus or another in the last 12 months.
A percentage of 82 is "too high for businesses to really believe their defenses are 'watertight,' yet 92 percent of companies think they have sufficient resources to secure their networks," says Sal Viveros, director of McAfee ASaP, in a recent press release. "Businesses need to realize that if they are suffering this level of attack then they need to address the amount of time they're devoting to the security of their network."
And other companies, overwhelmed with nail-biting fears of outside hacking attacks, have demonstrated just the opposite reaction of caution. Reportedly, British Airways, worried about hackers, took down around 100 unauthorized web servers from its network.
"British Airways highlights the fact that even large corporates, with well-developed strategies and IT structures, can be vulnerable to security threats because of unaudited processes," notes Glenn Stephens, managing director of Centennial, an inventory tracking software company, in a recent news release. "If you don't have the complete IT picture, then you don't know what systems your staff are installing or whether they are using unapproved web servers day to day."
And such an incomplete picture, coupled with blissful ignorance and inappropriately placed complacency, can leave any company connected to the Internet as vulnerable as a displaced kitten among a famished pack of wolves. Companies, then, should ensure that their organizations are strengthening their knowledge and beefing up preventive measures.
They should be undertaking audits of their IT infrastructures on a consistent basis, perhaps quarterly or even more frequently if necessary. They should constantly monitor their security environments in an effort to keep them as effective as possible in warding off and warning of attacks. They should educate employees and implement policies. In short, they should constantly be on the lookout for ways to improve their overall approach to protecting their networks, as well as developing knowledge of threats that could be posed against them and the tools to fight against them, in addition to honing the skills to repel internal and external attacks.
IT security should start with the acquisition of knowledge and plans based on prevention. Reactionary measures usually get us nowhere and often leave us surrounded by utter devastation, as 9/11 demonstrated. However, if we are vigilant and accept the fact that security, whether IT or physical, is an ongoing process that demands daily handling, then we may soon see that hungry pack of wolves scooting away, tails tucked between their legs.
Illena Armstrong is U.S. editor of SC Magazine (www.scmagazine.com).
