It Was the Best of Times, It Was the Worst of Times

by | Dec 14, 2006 | Ideas & Insights

By Joe Knape

Larry Seltzer’s article “The New Attack Pattern” states that “things are getting better for the average user over time.” At the same time, several other authors state in a fairly lucid manner that users didn’t feel a whole lot more secure in 2006.

To make matters seemingly worse, according to most would-be fortune tellers, 2007 will see an increase in the number of application based 0-days, attacks on mobile phones will become more common, and incidents of identity theft and data loss will increase.

So which is it? Are we more secure and just don’t know it? Are we not more secure but living in ignorant bliss? Or are we on the edge of a digital precipice?

As Mike Rothman alludes to in his December 13, 2006 post, “Narrow and Targeted in 2007”, the answer is: D, all of the above. Of course, the real crux of the matter is how ‘we’ is defined.

Now, if “we” means the typical user in a typical large company then the answer is…yes — things are getting better from the perspective of the negative impact of “security” incidents such as virus outbreaks, DoS attacks, etc. People, processes, and technologies are all maturing and adapting to confront these issues (it may not be pretty if you’re behind the curtain but that’s another post).

If “we” means the typical user in a typical small-business or single employee company then the answer is…maybe. While the threats to SMBs (small and medium sized businesses) aren’t that much different from those faced by larger enterprises, the people, processes, and technologies are just now being revamped to address the specific careabouts and issues that are specific to SMBs and will continue to mature throughout 2007.

Finally, if “we” means the typical home user then the answer is…no, things aren’t getting better, in fact they’re probably going to get worse before they get better. Home users are more and more the target rich environment of choice for nefarious groups and individuals. The average home user doesn’t have (or isn’t willing or able to allocate) the resources (be it the time, skills, or even the desire) to protect themselves from these new levels of attack.

So what is the bottom line?

The risk may be to our businesses but the threats are not.

The threats we face and need to prepare ourselves to address are not business, or for that matter, technology based. The threats are targeted at users. If you step back, it’s clear that those home users, when it comes right down to it, are the same people that are users in the business environment. They are the employees, the managers, the salespeople, the presidents, and the owners.

Our methods, tools, and techniques have to span boundaries. We have to stop focusing on “this threat”, or “that application”, or “those users”. We have to crawl out of the gopher hole and broaden our vision, not narrow our focus.

As we wrap up another year of learning, improving and adapting, here are three things to think about for 2007, to help combat the growing and shifting nature of our threats:

1.    If you could tell every one of your peers, coworkers, bosses, etc. one thing that you believe would make them smarter users, and therefore more secure online citizens, what would it be?
2.    If you could make the security technology industry aware of one opportunity that you think they are missing the boat on, what would it be?
3.    Are you telling them? If not, why not?