Infosecurity is kind of like visiting the dentist: we all know we have to do it, but we seem to put it off for as long as humanly possible.
Heck, I've made two long-overdue visits to the dentist recently and have one more to go that will result in a nice new shiny crown in place of a trusty molar ravaged by years of sweets.
I'm betting there are heaps of government agencies and corporations that need an overhaul of their business practices to account for IT security. They're probably thinking that since they haven't been hit by a cyberattacker yet, then they probably won't be taken down any time soon. Yeah, and the tooth fairy visited me after the dentist ripped out that chocolate-enabling molar of mine, too.
Their problem really is that they envision a process so torturous they would rather wholly ignore the risks in hopes that they never get hit by a cyberattack. Chances are they probably have a criminal lurking around their networks right now with the help of a backdoor that was put there 12 months ago, after the hacker came across a vulnerability for which a patch had been out for at least that long.
To illustrate, let's take a look at a report published by SecurityFocus in late September about the U.S. Defense Information System Agency's (DISA) Requirements Identification and Tracking System. Reportedly, DISA belatedly locked down a vulnerability in IBM Lotus Domino database software that enabled everyday Internet users to sign on and place orders for anything from computers to cell phones. In addition to placing orders, surfers could also take ganders at requisition papers, some of which cited email addresses, DISA IDs, social security numbers and more. The group who reportedly came across the hole, Kitetoa, also were said to have found a similarly misconfigured database last spring. On its web site Kitetoa dismisses the U.S. government's warnings to corporate executives about hack attacks, saying that if the government cared so much about cyberthreats, it would "start with some basic security."
Now, incidents involving vulnerable applications are not new. In fact, experts have said time and time again that many of the security problems could be addressed if company and government IT administrators would simply configure software properly and keep up with patches. But, because this is just one of the many IT security problems plaguing organizations of all sizes these days, it and the others are usually left ignored until something happens. Everyone still operates in reactive mode.
There is some guidance out there. For instance, Gartner advised in a September Gartner FirstTake that before any organization builds security awareness, it must develop an overall sound security strategy. It recommends such actions as getting system defenses in order, creating strong practices, supporting the employees who have to actually implement them, and then moving on to awareness training.
Analyst groups, IT security vendors and service providers, educational organizations and others have all kinds of research that the infosecurity-clueless can tap into. Additionally, some of this well-researched information can be found in the recently released National Strategy to Secure Cyberspace (www.securecyberspace.gov). And, look, I know some of you might think that this U.S. government-sponsored plan is comprised of nothing if not hot air, but the truth of the matter is that it provides a lot of good stuff, some of which has and still is being covered in the pages of SC Magazine.
And you know what else? Much of this good stuff really isn't new; it simply brings together what many would view as best practices. Further, while the strategy clearly sets out some comprehensive guidelines (some would say without many teeth), it also brings the onus back onto the shoulders of us all - home-users, companies, non-profits, educational institutions, government agencies, you name it. And by doing this, it is making attempts to lead every person in the United States connected to the Internet to help reduce infosec vulnerabilities. That, we all know, is no easy or quick task.
As Jeff Waxman, CEO of SilentRunner, says, "Cyberdefense requires us to not only protect the perimeter from intrusions, but to root out the intruders who are already there."
Yikes. Who really wants to take on this job? Probably not too many of us, but the simple fact is that we have to if we want to continue making money, building business and developing our nation and others by using the Internet.
Heck, I'm sure many of you might be able to provide the infosecurity-challenged with some basic how-tos. If you can, it may be a good idea for you to hit the national strategy's web site to give your two cents - the public at large has some 60 days to comment. And for those of you who haven't a clue where to start, it may be good to print out the plan to review with your colleagues. It's a good step in getting the right people in your organization to understand the problem and may lead to some buy-in, budget dollars and solid on-going cybersecurity defenses. Really, when it's all said and done, infosec is about learning from mistakes and practicing prevention through plans, people and tools.
In between my dentist visits you could probably smell the chocolate I threw down my gullet with the help of my temporary cap. The difference is now that I'm cutting down on the junk food and flossing regularly, as opposed to the twice a year floss right before my visits to the dental hygienist for cleanings. I learned my lesson the hard way. Let's hope that not too many more companies or government agencies like DISA do the same.
Illena Armstrong is U.S. and features editor for SC Magazine (www.scmagazine.com).