Posted by: David Schneier
Audit, compliance, cyber security, Regulatory Compliance, Security, threats
I just finished reading through the most recent report from Verizon Business, which offers a deeper dive into the most common security breaches identified during 2008 and quite frankly, I’m concerned. Turns out that there’s very little new to worry about beyond what we already know – and that concerns me greatly.
I am a bit relieved that the threats we already know about are still pretty much those that we’re dealing with; we know how they happen, why they exist and what to do about them. But that’s also why I’m worried.
If we know about these threats and have at our disposal a wide range of techniques and tools to prevent them, why are they still finding any measure of success?
For example, take a personal experience I had while using Facebook. Shortly after becoming an active user on the popular social networking site, I fell prey to a virus delivered by way of a URL that presented itself in the form of a video link sent from a friend. The link appeared suspicious and though I attempted to close the message without clicking on the link, something went awry and I navigated right into the steely, sticky jaws of a truly annoying virus. Fortunately, I was able to clean my machine and irradicate the virus eventually (many thanks to Trend Micro for some pretty good software on that front). But the experience served as a booster shot of sorts for my overall online strategy. Now, I won’t even open a message unless it presents itself correctly (e.g. proper spelling, contextually appropriate, etc.). It took me all of one bad experience to realize I had to use the same level of vigilance on Facebook as I did in the rest of my digital world.
In other words, I learned the lesson and have taken steps to not make the same mistake again. Why can’t the business world do the same thing?
Of the threats detailed in the Verizon report, the vast majority can all be addressed via proper system configuration and basic monitoring techniques. We’re not talking rocket science here. And the remaining threats – the ones involving the human element – can be greatly reduced by proper and consistent security awareness training. Honestly, if I can get my almost octogenarian mother to screen emails and only open those that come from trusted sources, I’m thinking corporate America can train its employees to do the same. If I can educate my wife on the dangers of skimming and give her the basic tools necessary to avoid suspicious ATM’s (e.g. only use bank-branded devices in well lit areas; always cover the keypad when entering PIN’s, etc.), I’m certain financial institutions can do so with their customers.
The criminal element can be a pretty sharp group and are always, always thinking of new ways to get to other people’s money. Why make it easier for them by leaving the same doors unlocked and windows opened? As I’ve already pointed out, it’s good that we have identified the threat but it’s not so good that we haven’t done enough to stop it.
And here’s a neat little addendum: I wrote this post earlier today while traveling and when I returned home this evening and sorted through my mail, I found a brochure for the SANS event scheduled for March, 2010 in Orlando. While flipping through the pages, I saw session after session all aligned quite nicely against the threats detailed in the Verizon report. Again, successfully dealing with this ain’t exactly rocket science.