With the IT Security Threats Landscape changing ever so quickly and the methods in which we come under attacks are getting more nefarious, we must take the security preventative initiatives to the next level. We can no longer sit back and put a blind eye to this area of IT as the impact of the financial and economic effects are being felt at all levels of business and personal life.
As an IT Security organization that promotes the development of IT Security awareness and information programs, our interaction with the general IT/public/business communities allows us to have a holistic look at this key area of IT that is reshaping the way we think, work, act and conduct our day to day productivity requirements from a broader view. It is one of those things that cannot be narrowed down to a business entity, vertical market nor size of a business, IT Security encompasses all people, processes and things (including technology) and it is time we take a more granular unified approach to this issue. I am really tired of hearing this being dealt with from a corporate/enterprise/private level and we need to realize the economic impacts trickles down the food chain to those who are less knowledgeable in the area but are directly impact by the effects.
It is with this that I call upon the IT community to unite as a single body towards a national program geared towards the education and promotion of a National IT Security Public Awareness Program “NITSPAP” 'Don't fear IT Security, Unify IT Security' starting in October 2007. This annual week of awareness will be geared towards a specific focus on the IT Security Threats Landscape and the various elements it presents to both the consumer and business sectors. I believe the time has passed for us not to see this as a critical issue that warrants this level of unity in a fight that is not about to be over any time soon. Today’s threats are tomorrow’s problems that are creating the foundation of things to come and if not properly managed and secured will have substantial impact on all levels of our lives. With more and more technology enhancements daily, the availability of new avenues of infection, exploits and vulnerabilities has increased exponentially. How this is being addressed today is not enough as we need to voice it to the masses in a standardized way.
It is only through unity that we can achieve this on all fronts, neutrally, unbiased, unequivocally and directly focused on IT Security no matter who you are or what organization you belong to. The hackers are united and have been bonding together as a force to be reckoned with. They are creating their own groups, communities and methods of clandestine behavior that we must take as a sign of impending danger ahead.
How else can we achieve greater or equal success in the mitigating or risk management of these issues when we’re all operating as individual fronts?
The growth of threats through messaging has prompted the need for a better way of validating the sender of the message so that at first sight the recipient has a better chance of knowing how to deal with it. I remember a few years back we told users that the best way to secure against messaging threats is not to open an attachment from an unknown source. This used to work then but the new threats are coming from new and trusted sources. How do we mitigate this, how do we validate these messages?
With threats/attacks coming from known and trusted users it makes the strategies to defend against these issues even more tedious as your enemy is now your best friend. Still, unchecked, we’re seeing a slow adoption (if any) in the use of PKI technology such as S/MIME (Secure / Multipurpose Internet Mail Extensions) for messaging. The use of digital IDs to validate and authenticate the sender of the message is still in limited use. Unencrypted messages flying around in plain text with critical business information/data is still at an all time high as messaging is now the most critical business process and tool. The use of personal email accounts on webmail services for sensitive/critical information is at a high number without policies to govern them.
Now, you’re protecting your infrastructure in the best ways you can, you’re practicing all the proper standards for security but you’re leaking data/information out of the company through an unsecured account at an unsecure hosting service, hmm.
So, the threat factors are growing at an even more alarming rate, the governance and enforcement is still the same or less and the data breaches/loss is reaching more people in places that you’d think would have by now learnt the lessons from other companies who had suffered at this level of negligence. Still, unchecked, the state of the IT Security Threats Landscape is not safe.
We must unify and unify now or we will forever lose to the IT Security Threats Landscape and the elements that comes with it. Let us join together in mind, resources and the vision of unity in this critical area of information technology. I have conveyed this vision to state and government officials and the feedback and response has been receptive and very positive. I am now extending this out to you the vendors, business executives in all areas of business, associates, fellow consultants, VARs, IT professionals and the public to make you aware of this initiative and how it will be scaled out as a national program.
Day in day out we’re seeing the development of more nefarious and targeted attacks coming from all angles with a single purpose of building out a more destructive roadmap ahead for Information Technology. The attacks are more organized, well structured and formulated and are even harder to detect as being a threat. The levels of sophistication needed to mitigate these threats are not available to the smaller size businesses who are producing as much critical information as major enterprises/corporations do. So now we have major companies doing business with smaller companies and the threat now becomes that of the small company who is handling the data/information.
This is where the change in the threats landscape comes as you are now vulnerable through association and the partners you have. Social engineering, drive-by downloads, phishing, pharming, URL/DNS poisoning, DOS and DDOS attacks and the increase in the messaging threats are growing rapidly by the day. Companies are not implementing awareness programs for their users to stay abreast of the type of threats and how they are spread in and out of the business and home environment.
This week of awareness will be addressing these issues through public speaking at various agencies, institutions and other organizations, media promotions on the air (TV and radio), news papers and across the IT channels, industry and vertical markets. We will be hosting an official conference setup to kick this off and invitations will be sent to all avenues of the IT Security Space. It will be hosted in NYC and the date and time will be confirmed shortly. This will make it a non vendor neutral environment where we can all get together as one without the vendor to vendor conflict issues.
The success of our Mobility/Endpoint Security Summit ‘MESS’ in May showed that we can pull together something good that appeals to all levels of businesses, big and small, public and private and across all verticals, and that they too are very much into looking ahead and reevaluating their infrastructure to accommodate the need for changes to come. As a result of the summit there have been synergies, business opportunities and new partnerships formed between the vendors and our organizations to position us as a force ready and able to address the needs of tomorrow’s threats today. I am confident that we will not face the challenges we did in putting together this event again, lessons learnt, we can do it.
I wanted to give you an early heads up as I have been pushing the plans to vendors, businesses and IT professionals, local communities and groups, to gain their support and I am happy to say that I already have 14 vendors across 6 states that have committed to being a part of this. The vision is real, the mission is strong and the unity is coming. We invite everyone to join in and participate in this great initiative for the future.
Over the next few weeks I will be promoting this through some of the government, educational, financial and legal verticals to gain the support and traction towards the kick off. I have already pitched the plans to some of you and got some receptive feedbacks from it.
If nobody wants to do it, we will, and bring it all together and set the pace for this on an annual basis. It must be done and done now, but most importantly, it must be done properly as time wasted can never be regained and we have lost a lot of time and grounds in this effort.
So please join me in this initiative and I hope that we all see the value in what we do to promote the safe and secure future for information technology superhighway.
I look forward to your feedback and comments.
About the Author:
Brett A. Scudder, President/CEO/Security Architect and founder of the “The IT Security Suite” at http://www.the-suite.net
He can reached at Brett.Scudder@theitsecuritysuite.com