I was listening to a lively debate the other day on the radio.
The issue under discussion was crime and how society has been tackling it. The views put forward were, for the most part, sensible, though a few individuals with more unorthodox ideas did manage to get through every now and again. One caller in particular, though, struck a note with me. She was brief and to the point. All she said was "God helps those who help themselves." Not wishing to bring religion into the debate, the presenter swiftly moved on, but her comments got me thinking. In particular I began to think about how all of us can start to help ourselves with regard to the security of our information or assets.
I guess it's human nature to believe that we will not be the victim of a crime or malicious act. It always happens to the other guy, right? Granted, only the most morbid or paranoid will continually think that something terrible will happen to them, but the sensible ones among us should be able to see that something undesirable potentially could happen. It could rain, so I carry an umbrella. The dog may run off, so I put an identity collar on him. Someone could copy my customer database so I ... no that won't happen to me!
The problem with this scenario is that when we do nothing to counteract the chance that something undesirable will happen to us, we lay the foundations that pretty much guarantee something will happen. We turn ourselves into vulnerable targets by the fact that we have less protection than our neighbor, colleague or rival. Ironic, isn't it?
Our industry, of course, tries to put this right. We see ads everywhere warning of the dangers posed by the sneaky hacker or the vindictive employee, but unfortunately they target the wrong people as they mostly appear in our own trade press. Preaching to the converted has never been a worthwhile exercise as far as I am aware. The danger now, though, is that this approach is beginning to backfire even with security professionals. As sincere and accurate as these warnings may be, they are all too readily treated with cynicism; they are marketing ploys and nothing else. There is more than a grain of truth in that point of view, but I believe it is an unhealthy one nonetheless. We all have a vested interest in convincing those whose assets are at risk that they must take steps to effectively secure them. It's up to the asset owners themselves to start realizing they are at risk.
Asset owners can start helping themselves in so many ways. This doesn't necessarily mean splashing out huge amounts on the latest technology, but it does mean re-evaluating the notion that maximizing immediate profit is the most effective course of action to take. I would like to suggest that chief executive officers and managing directors start with that most under-appreciated of employees, the system administrator.
I have never yet met a sys-admin who was not able to tell me exactly what vulnerabilities were present in the systems they were responsible for. Operating system patches that have not been applied, default settings that have not been altered or, worst of all, poor configurations that have been introduced deliberately to facilitate operation. Invariably, the root cause of these problems lies in the fact that the system administrators have not been given sufficient time or notice to do their job correctly.
When told that getting a particular server up and running from scratch would take longer than he had expected, I once heard a very senior executive say "s*** the security, just do it." It's hard to imagine a motor manufacturer telling its production staff not to worry about the central locking mechanism as the car has to be finished by tomorrow. Yet that is how we operate our IT systems. If the system administrators can be given the chance to perform their job properly, I am sure we would see a big reduction in the number of corporate security breaches.
A second area where asset owners can start to help themselves is with the design process for new projects. Security must be part of the design from the start. How many of us have experienced developers or project managers put something together and then pass it to the security guy at the eleventh hour to accept or reject? Security for our homes, cars or valuables is not an afterthought. Why should the security of our information not be treated the same?
Let me draw on the motor manufacturer again. Car designers are, in the main, not security experts but every one of them understands that any vehicle they design will have to be secure, as it will have to be safe, reliable and so forth. All these aspects are developed from the start. The result is a truly finished product. Compare this to the phone call we have all received from a developer who wants to install a new web enabled application server and needs 'security' to clear this. Invariably we find that the project has been ongoing for at least a month or two prior to this and that the expected go-live date is a matter of days away.
One final suggestion for asset owners is this; please stop living in the past. Security threats are here today and they are never going to go away. In the same way that we could not un-invent the H-bomb in the 60s, we cannot un-invent the script kiddie in the 21st century. They are here to stay and we all have to accept this. My parents still remember the time when they could leave their front door open all day. Now we have to close and dead bolt it as a matter of course. Yes it's inconvenient, but not as inconvenient as being burgled. The wired world is now a hostile place. If we want to live in it safely, we all need to help ourselves.
Adam Holder is a security consultant with PricewaterhouseCoopers. He may be contacted at firstname.lastname@example.org.