Yesterday I received a truly scary briefing. It was given by an expert from IBM’s Internet Security Systems. (Full disclosure here: I work for IBM, but that should not lessen the brief’s impact) I will not go into all the points made, but suffice to say that the research ISS does makes them one of the most expert groups in the industry when it comes to cybersecurity. ISS is continuously monitoring thousands of Web sites, maintaining the largest vulnerabilities database in the world and trying to stay a couple of steps ahead of the bad guys all the time.
What was scary was the incredible magnitude of the cyber threat that exists. It covers the gamut from individuals to nation-states and includes online sales of hacker tools (“sliver, gold or platinum additions available!”), complete with help desks. Their tracking of the Confiker worm was fascinating as a case study. There is a dedicated consortium of people and organizations called the “Confiker Working Group” that buys 500 domain names a day to keep them from being activated and used for mischief by the still growing network of Confiker infected systems. 500 a day!
They also showed that every year, one out of two organizations in our country get penetrated by bad guys (of some sort). Of those, 99 percent had some kind of firewall and anti-virus software on their systems. These are businesses and other entities; the numbers do not include individual systems.
We must get better at cybesecurity. We must understand that just being in compliance with federal or state laws does not equal security. We must understand that merely having firewalls, anti-virus, anti-spam and anti-spyware programs is not enough if we don’t keep them up to date and fully patched. We also have to follow good procedures, have strong passwords (not your birthday or 11111) changed regularly and stay away from suspect sites (the ISS expert called it the Cyber Red-Light district of porn and gambling). We must avoid the temptation to open those seemingly funny but suspicious e-mails, and for goodness sake, please don’t open the attachments or the links in them.
These things will not cure all our ills, but it sure would be a start. One hopes the industry and the government will join forces to create a lasting and comprehensive campaign to raise awareness and educate our population. October may be National Cyber Awareness month, but the bad guys operate year-round, and until we create a permanent culture of online awareness and safety, they will continue to win.