By Joe Knape
Larry Seltzerâ€™s article â€œThe New Attack Patternâ€ states that â€œthings are getting better for the average user over time.â€ At the same time, several other authors state in a fairly lucid manner that users didnâ€™t feel a whole lot more secure in 2006.
To make matters seemingly worse, according to most would-be fortune tellers, 2007 will see an increase in the number of application based 0-days, attacks on mobile phones will become more common, and incidents of identity theft and data loss will increase.
So which is it? Are we more secure and just donâ€™t know it? Are we not more secure but living in ignorant bliss? Or are we on the edge of a digital precipice?
As Mike Rothman alludes to in his December 13, 2006 post, â€œNarrow and Targeted in 2007â€, the answer is: D, all of the above. Of course, the real crux of the matter is how â€˜weâ€™ is defined.
Now, if â€œweâ€ means the typical user in a typical large company then the answer isâ€¦yes — things are getting better from the perspective of the negative impact of â€œsecurityâ€ incidents such as virus outbreaks, DoS attacks, etc. People, processes, and technologies are all maturing and adapting to confront these issues (it may not be pretty if youâ€™re behind the curtain but thatâ€™s another post).
If â€œweâ€ means the typical user in a typical small-business or single employee company then the answer isâ€¦maybe. While the threats to SMBs (small and medium sized businesses) arenâ€™t that much different from those faced by larger enterprises, the people, processes, and technologies are just now being revamped to address the specific careabouts and issues that are specific to SMBs and will continue to mature throughout 2007.
Finally, if â€œweâ€ means the typical home user then the answer isâ€¦no, things arenâ€™t getting better, in fact theyâ€™re probably going to get worse before they get better. Home users are more and more the target rich environment of choice for nefarious groups and individuals. The average home user doesnâ€™t have (or isnâ€™t willing or able to allocate) the resources (be it the time, skills, or even the desire) to protect themselves from these new levels of attack.
So what is the bottom line?
The risk may be to our businesses but the threats are not.
The threats we face and need to prepare ourselves to address are not business, or for that matter, technology based. The threats are targeted at users. If you step back, itâ€™s clear that those home users, when it comes right down to it, are the same people that are users in the business environment. They are the employees, the managers, the salespeople, the presidents, and the owners.
Our methods, tools, and techniques have to span boundaries. We have to stop focusing on â€œthis threatâ€, or â€œthat applicationâ€, or â€œthose usersâ€. We have to crawl out of the gopher hole and broaden our vision, not narrow our focus.
As we wrap up another year of learning, improving and adapting, here are three things to think about for 2007, to help combat the growing and shifting nature of our threats:
1.Â Â Â If you could tell every one of your peers, coworkers, bosses, etc. one thing that you believe would make them smarter users, and therefore more secure online citizens, what would it be?
2.Â Â Â If you could make the security technology industry aware of one opportunity that you think they are missing the boat on, what would it be?
3.Â Â Â Are you telling them? If not, why not?