There was a show on CNBC recently about cyber threats. The show was pretty much what you would expect when an organization ventures away from its core competence. Imagine if Computerworld did a story on derivatives or CDOs.
As is typical of the mainstream media covering computer topics, most of those interviewed were self-serving. People and companies that make a living defending computer systems, saying how bad things are and thus implying how necessary their services are. We've seen this before.
Sadly, the show did nothing to educate viewers about Defensive Computing. I guess there are no ratings in telling people to eat their virtual vegetables. The Firesheep demo didn't even refer to Firesheep by name so an interested viewer wouldn't know what to search for online.
Still, it got me thinking. The data breaches that we hear about are surely a small percentage of those that are known. And, the known breaches are, in turn, a percentage of all those that have occurred. Even given this, we now seem to be in breach-of-the-day mode.
So why are the bad guys winning?
No doubt there are many reasons that computer systems and networks get broken into. Here, off the top of my head, in no particular order, are a few:
- The game is rigged in favor of the bad guys:
To avoid breaches, the good guys have to succeed 100% of the time. The bad guys only have to succeed once.
- TCP/IP, the underpinning of the Internet was never designed with security in mind. Ditto Ethernet, the underpinning of almost all local area networks. You may recall that on the Internet, no one knows you're a dog.
- Internet User Guide:
There is no User Guide to the Internet that lays out briefly and in simple language the obvious mistakes that should be avoided. Neither hardware manufacturers, nor ISPs, nor operating system vendors have bothered to offer a helping hand to their most clueless users. A pamphlet would be plenty.
If it only covered the most basic things, that would still be a huge step up. Things like the dangers of clicking links in email messages or that when you are prompted to install software there's a good chance it's a scam. Mac users are just learning this last point the hard way. Welcome to the club. Back in February 2010 Microsoft employee and security expert Roger Grimes wrote:
Sign up for CIO Asia eNewsletters.