Continuing on the thread of security… One interesting story I read this week was about people that use Peer to Peer sharing software like LimeWire and Kazaa to download music from work. Or maybe from their work computer at home. In either case, some of these folks have very little understanding of how these systems work so when they select the default location of their songs in order to share, they inadvertently share their whole C drive, or just their whole My Documents folder. You can probably guess the next thing that happens, everyone on the P2P network, like our nefarious friends Boris and Natasha here, now have access to any files on their computer. The writer of the article went onto LimeWire to see for himself if there was really corporate documents and spreadsheets sitting out there for the download, and guess what, there was – plenty of them.
In the world of security, one thing remains the same, we have a lot of people using computers that have little idea how they really work and the dangers they open up to each day. It has taken us years to get people to understand they should not open files on emails they do not recognize, and still some do. The same holds true with downloading software that cannot be verified as safe. Technology in general keeps getting more complex and as it does, the security threats grow right along. Standing in the breach is the poor institutional security expert who sets rules no one likes because they are “inconvenient.”
I was on-site doing some consulting work yesterday and in a meeting a number with department heads, I jumped into the middle of one such battle between a line manager and the IT department. The nice lady that ran a department was angry because she wanted her people to have the rights to admin their computers and load whatever software they wanted. Since this was a public entity, the IT department had set the security bar appropriately of course. I patiently explained in front of 10 or so department heads that there is a balance we have to live with. Security can be an annoyance, it also can be a critical barrier between us and the bad guys, malware, and griefers that have nothing better to do than shatter our IT world.
My guess is she was just mad because she wanted to download some songs on LimeWire… The IT world has not really gotten safer. We have better tools to defend ourselves, and we have learned a lot about building safer applications. Yet as fast as we gain ground, we add unsophisticated users that simply forget to lock doors and close windows so to speak. The next big advancement in security must come from educating civilians. I have long been convinced that this is the biggest mistake we make in security because we are very willing to spend lots of money on firewalls, intrusion detection systems, and software; and seem to be not so willing to just do training.
Scott