Sep 07 20
Admins stuck between a hack and a zero-day
Posted by Munir Kotadia @ 16:03 8 comments
The world of IT security is in chaos, with CSOs seemingly on the front lines of a full scale global cyberwar being fought out by government hackers, botnet-controlling criminal gangs and compromised Web sites. Can we ever hope to keep networks safe in such an environment?
Accusations of government-sponsored hacking have been flying in recent weeks with the US, UK, Germany, and most recently, New Zealand, claiming to have been attacked by hackers that allegedly work for the Chinese government -- charges denied by the country itself.
Meanwhile, Storm worm has also been in the news with security researchers debating whether the botnet controlled by the worm, which is estimated to contain between one and five million infected PCs, could be used by criminals as a massive distributed supercomputer, potentially packing the power to deliver massive spamming campaigns, knock out targets with a DDoS attack and even use a SETI@home-style operation to crack very strong encryption, very quickly.
It is not just the hackers, spam and DDoS activity we need to worry about. These days it isn't even safe to simply surf Internet because there is no way of knowing if a Web site has or hasn't been compromised -- take the IE-exploiting Facebook ad, for example, or the Sydney Opera House Trojan.
These are legitimate sites and yet people have most likely put themselves at risk by simply visiting them.
So how do you go about protecting your organisation in such a hostile environment? According to Graham Andrews, the CIO of PricewaterhouseCoopers, the task is "a nightmare".
Andrews believes a company cannot be truly secure if the responsibility for security is pinned on one person or one department.
"Security is everybody's problem. The core ownership of security is throughout the organisation. Not just within the IT group but in the user community so they are fully appreciative of the risks out there," he said.
When security is the responsibility of just one department, "you have already lost the game," said Andrews.
Andrews is spot on. Ensuring everyone in your organisation -- from the developers to the doormen -- are aware that the only way to reduce the chance of a security breach is for everyone to play their part.
Why malware?
Why the problems?
Why the concern?
Simple - the ICT industry stopped producing mass market secure systems, particularly that vital secure operating system, for the end-user 25 years ago, and government and regulators did nothing to help the situation at all.
The problem is largely not the Internet per se, most of the time, it is the base operating systems, middleware and applications at the ends. AND it is NOT the end-user anymore who can now be easily bypassed by sophisticated attacks of growing complexity, particularly as we move to unsafe "web services" style of application development.
BUT it's easier to blame him or her - that way public and private enterprises can convince themselves that it's not going to cost that much to fix up the the real problem - the base systems themselves.
Imagine - enterprise servers could today be "hardened" and based around "mandatory access control (MAC)" type systems with solid protection and enforced application/software "profiles (minimising all the malware talked about and really "raising the security bar") with such systems as SELinux (Secure LINUX from the NSA and now in such systems as RedHat's Enterprise Linux 5 actually evaluated under the Common Criteria scheme which Australia adheres to), Trusted SOLARIS 8 and Enhanced SOLARIS 11.
No - the time has come to realise that CIOs have to make the move to more secure bases for their systems and STOP blaming the poor old user all the time.
AND to do that - they need legislation to convince boards of directors / departmental executives that the necessary education and training expense is needed (incidentally the actual software base cost itself is hardly different to the low security commodity software product)
Let's STOP blaming the Internet and the poor old end user. The real problem is the computer system itself.
WJC