The Grey Chronicles

2009.February.4

Insecurity In Security


With the onslaught of malware, computer security have been foremost to computer-savvy users. I have been a volunteer at Yahoo!Answers and have seen many users asking questions, almost repeatedly, regarding protecting one’s own privacy and computer from hackers, and other sinister personalities in the interconnected world.

Sadowsky, et.al. (2003) explained:

“The average networked computer user of the 1970s was a professional computer specialist; today the average user is fairly ignorant, or at least is unconcerned with the technical details involved with the operations of the computer and its network. As a result, these casual users may fail to put proper security software packages and procedures in place, so that weak links in the network may be exploited by hackers or computer criminals, regardless of the respective geographical locations of the user, the exploiter, and the system being exploited.”

If you ever visited the Security forum on Yahoo!Answers, typical questions a visitor would encounter are: What is the best security (virus, spyware, trojan, etc.) software? Is running a number of them on a computer system provide security from malicious attack? What is the best way to deal with these attacks? Almost every hour, similar, if not the same, question is asked and answered by members.

Most computer users, however, are aware of the effects of cyberspace risks: information destruction; information theft, and loss of privacy; loss of information integrity; loss of network integrity on other systems and/or networks or keystroke capturing.

Information Technology Security Handbook

Information Technology Security Handbook

Its been said that the Internet is stupid (Lessig, 2001) — it only deliver packets from one point to another in the network; global (Ohmae, 2000) — connecting many countries, and information generally flows freely across national borders; open — a network of networks, any network that conforms to TCP/IP (Transmission Control Protocol/Internet Protocol) can connect successfully with it and become a part of it; decentralized — no system-wide gatekeepers; abundant — barriers to entry are low and the amount of bandwidth is only dependent on the channel’s capacity; relatively inexpensive especially for the average user in parts of the world where local calls are free; user-controlled — the user can be both the author and the publisher; interactive — quickly and easily move between access to multiple content providers and sending and receiving electronic mail with many people; and worst: vulnerable — certain aspects of trust were assumed rather than required. Thus , the Internet was not designed to maximize security, but instead to maximize the fruits of collaborative work; such a degree of openness has provided opportunities for some people to misuse the network in ways that are harmful to others (Sadowsky, et.al., 2003).

Conceptually, cyberspace security threats are no different than the nature of threats in the real world, however, the mechanisms are different. Cyberspace threats can take place rather rapidly, come from anywhere on the network, yet the responsibility for security is divided among multiple players. Yet, there are ways to deal with cyberthreats: understanding, prevention, avoidance, detection and resolution.

Many security experts suggest that understanding safe computing as the first step in devising a security strategy. Safe computing is the practice of using computers effectively and securely. There are many programs that address a range of computer security needs, some are even free. Safe computing, however, goes beyond just understanding the threats and deciding on what kinds of risks to minimize or eliminate, assessing the issues of cost, time, and inconvenience; but it should also include procedures, rules, and self-discipline.

I have written it before: “Security is not the single domain of the Information Security Officer, but rather it is the concern of every user of information.” Fortunately, the Information Technology Security Handbook agrees:

“Security is everyone’s business, whether you are a casual user, a technician, a system administrator, a network administrator, or a manager with responsibility for systems or networks. Understanding what the central security issues are, taking prudent actions to protect your systems, and putting a set of effective security policies in place are critical steps you must take to ensure that your machines and information will be secure from unauthorized access and that you will be able to exchange that information securely with others on the network.”


Notes:

Lessig, L (2001). The Future of Ideas, New York: Random House. back to text

Ohmae, Kenichi (2000). The Invisible Continent: Four Strategic Imperatives of the New Economy New York: Harper Business, 2001. 262 pp. back to text

Sadowsky, George; James X. Dempsey, Alan Greenberg, Barbara J. Mack, Alan Schwartz (2003), Information Technology Security Handbook. Washington: The International Bank for Reconstruction and Development / The World Bank, 2003. 392pp. back to text

Disclaimer : The posts on this site are my own and doesn’t necessarily represent any organization’s positions, strategies or opinions.

Advertisements

2 Comments »

  1. It’s interesting that although the universe of security intrusions and protections has evolved since we wrote the book in summer 2003, the universal truth quoted in this article has not. Security is truly everyone’s business, and that fact is recognized only slightly more today than it was in mid 2003. I thank the owner of this site for both understanding this and emphasizing it once again.

    Although the author did not mention it (he may not have known it) the full txt of the book is available on the Internet at:

    http://www.infodev-security.net/handbook/

    An increasingly relevant question is whether there is any form of control over users that will really ameliorate the problem of security to a relatively minor level. The alternative may have to be a fundamental redesign of the Internet.

    Comment by George Sadowsky — 2009.February.5 @ 02:03 | Reply

    • Thanks, George! I have been searching for years for an article regarding “Security as everyone’s business” but I only found that your book [rather recently] elucidated the need more than other references. There had been discussions in my workplace that Security should be handled only by the designated Information Security Officer, and your line of thought truly captured that need, and proved my point.

      Although I have not mention the link you stated: http://www.infodev-security.net/handbook/ , somewhere in that post I also included http://www.infodev.org/en/Publication.18.html [linked from the book image] and http://www.infodev-security.net/ [in the Notes section] because these were the links specified in the book. Thank you very much for the updated link!

      Also, thanks for your comments and more power!

      Comment by reyadel — 2009.February.11 @ 09:37 | Reply


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a free website or blog at WordPress.com.

%d bloggers like this: