While Operation Aurora, Zeus, and Conficker have garnered some national attention (fading), the mainstream user population remains relatively unphased by these security risks and the dangers they pose to both their workplace and home. High profile breaches from the likes of Blue Cross and HSBC have done little to raise awareness and anger over security mishaps. Heck, even attacks against the beloved site Facebook are nothing more then annoyances that are becoming commonplace for their millions of loyal users.
I find it humorous when people refer to Operation Aurora attacks as primitive or unsophisticated. The question is not how sophisticated or elegant an attack is, but rather how effective is the attack itself? Early denial-of-service attacks were not sophisticated but they were deadly. Remember the old SYN Flood or Ping of Death attacks?
Like all industries, cyber criminals come in varying levels of expertise and knowledge. Let’s face it, some are down right brilliant across multiple areas; finding exploits, writing virus or malware programs, finding a delivery mechanism, and avoiding detection. Others aren’t as gifted, but they do have the ability to cook up schemes and piggy back on the work of others (Zeus) to create havoc and personal gain. Remember, the good guys have to be right all the time while the bad guys only have to be right once.
IT security is a waltz between classic security elements such as firewalls and virus scanners, applications, servers, clients, networking, storage, virtualization, and people. While it is always exciting to deploy the latest security gadget, one cannot discount the role people play in IT security. Communication, understanding, flexibility, and a willingness to work together are just a few of the keys to creating and maintaining a positive environment for meaningful IT security.
Finally, IT security must transcend silos to view the big picture and think strategically. If we view each discipline as a puzzle piece, then only by putting all the pieces together does the true picture reveal itself. Like any piece of art, the picture must be shared across the disciplines and various levels within an organization to garner perspective and insight. This can only be accomplished via automation, correlation, reporting, and more; a must-have not a nice-to-have in any enterprise. Why is this principle accepted for financial data displayed within multi-million dollar business intelligence portals yet not understood for security?
In the end, we are all human and no piece of hardware or software is perfect. However, through communication, visibility, and vigilance we can protect ourselves, our companies, our customers, and our future.