Have we lost the war? Or are we just fighting the wrong battles?

24 10 2014

It’s October, and so far this year the ‘bad guys’ have obtained well over 100 million customer records and a similar number of credit card details from a variety of organisations ranging from banks to hardware stores. Every day it seems another bad news story appears in The Register or even on the BBC informing us of yet another breach of security, software vulnerability, internet scam or infected cat video on You Tube.

Each news story prompts the rolling out of the same faces, making the same statements and wringing the same hands AND NOTHING CHANGES.

Whilst those who have been paying attention understand that we are no longer up against spotty faced kids in their bedrooms who switch between Doom (showing my age here) and hacking a web site for their entertainment, the wider community does not seem to have caught on.

Our adversaries are running multi million dollar, global enterprises with levels of organisational sophistication and technical expertise that many of their target companies could only dream of. They don’t have to worry about setting up committees and focus groups before deciding whether to raise a project to scope out the work necessary to request a budget to carry out a feasibility study into the value of implementing a new product. They just get on and do it, and in many cases do it extremely well.

That means that we’re always going to be behind the curve playing catchup, and with the pace of technology change we’re dropping behind.

So what do I think we should be doing? Well to use Tony Blair’s famous phrase from 2001 “Education, education education”, but not just in schools and universities.

People write poor code that can be exploited, people click on links in emails and download viruses, people give away their security information to anyone who offers them a free app, people decide on what budgets should be spent on security improvements and only people can make the changes necessary to give us half a chance.

Until most people ‘get it’ then the few of us in the security world who already ‘get it’ are just lone voices in the wilderness, seen as a bunch of geeks wheeled out for soundbites that are forgotten as soon as the next celeb leaves Big Brother.

Sure there are glimpses of change, initiatives such as the UK Governments Cyber Streetwise and Get Safe online (incidentally did you know that 20-26 October 2014 is Get safe online week? No, me neither), are baby steps in the right direction, as are moves by e-Skills UK to promote cyber security training, but none of them are really joined up, and very few make it into the public consciousness.

So how could we achieve effective education of those who really matter?

There is no magic bullet, no one panacea for all our ills, but one thing we do know about the western world is that if something has a celebrity angle, involves reality TV or appears in a soap opera, boy does it get discussed around the coffee machine. If people feel they are directly affected by something (even if they aren’t) then there is a clamour to ‘get something done’ about it. So if we can pique their interest about something that they are affected by then who knows what might happen.

Maybe, just maybe, if we were able to get the conversation going at the soap opera level, that would get the message to the masses. If the scripts were written in an interesting and accurate manner with real human interest about the victims, maybe that would provoke a reaction. If real solutions and suggestions were offered in a joined up way, maybe that would encourage people to find out more and create a demand for change, and change themselves.

We know that simple things like running an up to date operating system and browser, thinking before clicking, not sharing your personal information with the world at large will all help make you less of a target. The other 99% of the population don’t, and most of them don’t even know they don’t know. Until that changes no amount of firewalls, IDS, IPS, anti-malware or any other technical security will win the war for us. No burglar will waste their time picking the locks of the back door when the front door is wide open and the burglar alarm is turned off.

As a start we need to remind people why they have a lock on their front door, and that leaving the key on the doormat or not locking it at all is plain stupid. Once we get that message understood then we can start with the more sophisticated stuff.

That’s my two-penneth worth. Maybe you agree or maybe you think I’m being too simplistic, not clever enough or just dumb? Either way, I’d love to hear what you think so please leave me some comments and if you are a script writer on Coronation Street or Hollyoaks let me know and we can have a chat.

Keep safe



Some Basic Tips for Internet Safety

14 07 2012

There is a saying that “on the Internet, no-one knows you’re a dog”‘. What this means is that it is very easy to hide your identity, but that cuts both ways. The person you think you are chatting to, or accepting as a friend on Facebook may not be who you think they are. Trust is a basic human instinct, it’s how societies develop, enabling co-operation and progress. The problem is that there are always people looking to take advantage of that situation. When you meet someone in person there are certain actions you follow to assess them. Looks, voice, mannerisms, dress are all used by us to decide whether we are going to like or trust them. First impressions count for a lot and people take great care to create good ones. Interractions on the Internet are no different. A professional looking web site, a well crafted invitation, suggestions of mutual friends, all go a long way towards establishing credibility. Unfortunately on the Internet you are at a disadvantage because it is very difficult to validate the information you are presented with, but it’s not impossible.

So here are a few basic tips you can follow to validate that connection BEFORE you commit.

1. Use Google (or your search engine of choice) to cross check the web site before you pass any information over. Many of the scam sites have been identified and ‘outed’ on the Internet.  A quick Google will bring these to your attention.

2. Before accepting that Linked-in or Facebook friend request, have a look at their profile. Does it look credible, are there errors, does it make sense?

3. Whilst not foolproof, a very simple check is to ‘hover’ your mouse pointer over a URL before you click. Does the address that appears at the bottom of the screen look ‘right’? If you are expecting it to point to your bank, and the address seems to be going to Russia, it probably makes sense to be cautious.

4. If you are going to send personal or financial information to a web site, make sure the connection is secure. The URL should start https (instead of the usual http). This shows that the information will be encrpyted whilst it is being transmitted.

So there you go, a few more tools to add to your bag. The surface has barely been scratched, but as someone else has trademarked ‘every little helps’.

See the next blog for some more hints and tips.


%d bloggers like this: