Don’t call the war on hackers unwinnable

John C Dvorak asks what war we’re waging on hackers. While war may not be the best choice of words, because it’s not exactly a conventional war, there’s no question there’s something going on, and we’re not winning it right now.

The latest salvo is that someone in China is building a botnet using Macintoshes.
The key there is China. I’m not old enough to remember this, but perhaps this is like the run-up to Pearl Harbor. As someone explained to me long ago, we didn’t trust the Japanese and the Japanese didn’t trust us, and ultimately that led to the Japanese bombing Pearl Harbor, hoping to knock us out, and they believed that they were getting us before we came to get them.

Read the Chinese propaganda, and that’s exactly what they believe they’re doing.

It’s not all China, of course, but they’re the ones making the headlines. There’s also organized crime, only without the pinstriped suits, suicide doors and Tommy Guns. But whether the adversaries are another nation’s armies or gangsters, the defenses are the same.

What defenses? Don’t open suspicious e-mail, use complex passwords, run antivirus software, and keep your operating system up to date. If you’re a business, add appropriate network infrastructure to the mix, like firewalls and intrusion detection systems.

And without getting too New Age-y, we have to remember that we’re all connected. If someone is running an insecure, compromised network, they’re hosting threats to the networks near them. That’s why I argue it’s a bad idea to run an unsecured, passwordless wireless network. All it takes is one compromised computer connecting to your wireless network to bypass your firewalls and infect your network. The next thing you know, your computers are doing things that make the world a worse place, whether it’s sending spam or participating in DDoS attacks.

The most important thing is to not throw in the towel.

In 2001, Microsoft had a terrible, terrible year. Then, on January 15, 2002, Bill Gates sent an e-mail message to Microsoft employees saying that the company had to not only do a better job on security, but make it the company’s top priority.

I remember when that happened. We laughed. Microsoft and security went together like McDonald’s and gourmet chefs.

It’s been more than 10 years now. Microsoft still releases security patches virtually every month, but they’re fewer in number than they were in 2001, the problems they fix aren’t as severe, and when you say you’re trying to build a secure system using Microsoft technology, knowledgeable people won’t laugh you out of the room. In fact, a good way to figure out if a security guy is knowledgeable and honest is to ask how to build a reasonably secure system using Microsoft technology.

I can’t believe I’m saying this, but if Adobe, Apple, and Oracle (in alphabetical order) all matched Microsoft’s commitment to security, we’d make some real progress in this area.

Businesses and governments have some blame as well. Our government knows how to implement reasonably good security–that’s where the CISSP Common Body of Knowledge arose from. Almost every time I see bad security in practice, it violates something contained within that Common Body of Knowledge. But speaking more generally, it usually arises from an it-can’t-happen-to-me attitude.

Good security begins with two assumptions. The first is that bad guys are out there. The second assumption is that they’re either trying to get your data or your system now, or they will as soon as it becomes profitable to do so.

Then you act accordingly. Apply your patches, run your antivirus, don’t open suspicious e-mail, and basically, put as many layers of defense as is practical between you and the adversary. If your data or your computer is worth $1,000, then make it cost $1,000.01 to steal it. That’s how you make them go someplace else. And if everyone does the same thing, then there’s nowhere for the bad guys to go.

See? Winning is easy. Just put in appropriate protection.

Yes, it’s an overwhelming job. So you handle it in manageable pieces. If you have a lot of time and money to throw at the problem, fix the biggest problem first. If you have very little of either, fix whatever problem you have the ability to fix right now. Since you can’t make it perfect, do whatever you’re able to do to just make it better, and make it a continual effort. You’ll get there someday.

The attackers are diligent. The way you beat diligence is with diligence.

%d bloggers like this:
WordPress Appliance - Powered by TurnKey Linux