For decades the information security world has been focusing on protecting users from attackers, hackers, and crackers. Contrary to the norm, I will be using the term "malicious security cracker" in this article to describe those who use their knowledge and talent to do more harm than good. In a TechRepublic post from 2009, Chad Perrin does a fantastic job with providing the differences between a hacker and a cracker. Read and decide for yourself http://www.techrepublic.com/blog/security/hacker-vs-cracker/1400.
Okay, now with that out of the way let's get down to business. Over the years we've seen hundreds of companies emerge who all claim to offer us better or the best protection for our computing environments. We have a multitude of vendor options for routers, firewalls, email security, web security, network security, server security, and endpoint security. Let's not also forget all the mobile devices like phones, blackberrys, and tablets which are providing us with even more platforms we need to worry about. But who is at fault when we are attacked? Who do we blame or hold accountable for the security or should we say non-security of our information and services? The majority of people will say things like "it's not my fault that my account was hacked" or "I have the latest and greatest security products", and of course "I don't know how they got in".
Well, let me see if I can shed a little light here. For the past couple of years we've all heard about these malicious security cracker groups who have been attacking companies and government agencies. The prideful bunch that they are, they like to brag and boast about their latest victims and how easy it was to break in. What they're also doing, if the right people would pay attention, is giving us a roadmap for bettering our security. So let me share what I've learned from this.
First and foremost, Internet Service Providers (ISPs) are not blameless! In my theory, ISPs can and should step up and take responsibility for what happens on their networks. After all, we do connect to and become part of their network. But first, let's give my theory a name. How does "London's Internet Security Theory" (LIST) sound? In my theory we can provide a basic layer of security for everyone at the ISP level. Yes, you heard correctly; I did say security for everyone. That means all the companies, all the govt agencies, and even the home users would be protected. How would this work? If the ISPs simply utilized network IPS (Intrusion Prevention) solutions which were capable of preventing the majority of the attack methods used by malicious security crackers, we would find the internet to be a safer and slightly friendlier place to do business. Attack vectors like DoS, DDoS, SYN floods, and even encrypted attacks can all be things of the past. With more and more organizations moving their daily operations into the cloud, it is imperative that the ISPs become that first layer of defense. I will discuss this in a later blog posting.
Let's think about this from a logical networking security view. In order for anyone to connect to the internet, they have to first connect to an Internet Service Provider (ISP).
Firewalls are now being shipped in a state of "allow all except" versus the old settings of "denial all except". In the old days we had to carefully test all applications and connections to make sure we knew which ports to open up and allow connections to be made through. Now we only have to turn the firewalls on and everything is allowed...by default. This changes things as now we have to figure out what to close as well as what to leave open. Wouldn't it be nice if a firewall vendor allowed us to do some adaptive blocking or allowing?
So I've jumped from my original thought of who is to blame. To get this back on topic let me just say that it basically comes down to this - we are all to blame. You, me, the vendors and programmers, and especially the service providers. Of course there are more layers and levels of complexity to this but why am I throwing such a wide range of blame? Simply put...we all need to pay attention to what our applications, systems and devices are doing or attempting to do. If you don't know what an application does on your phone...delete it. If you don't know why an application is installed on your computer...delete it. If you aren't sure of what is good or bad then ask someone who may know. We all know someone in IT someplace. And if it's a question about a phone or tablet we could probably just ask the nearest 10 year old. Of course we could also try reading the manual but then that would just be silly.
