This is the first blog post in a series of posts where I will try to document some of the false perceptions about IT security — and believe me, there are many. It is impossible to cover all of them, but I will do my best to cover as many as my time and energy allows.
I was born in the early 80s, and I grew up with great movies like The Terminator, Robocop, War Games, Hackers, Minority Report, Blade Runner and The Matrix. All these stories played with the idea that technology was going out of control — but that’s just fiction, not reality, and we all know that. But when we talk about IT security we still live with this mindset that the biggest issue is protecting ourselves against future threats.
The same thing happens when I attend security conferences or read articles and blog posts; everyone seems to focus on trying to uncover plots or protect us from the unknown. Almost all security companies and researchers are talking about APT (Advanced Persistent Threats) and targeted attacks. Don’t get me wrong, this is very important, but if we look at the intrusions and vulnerabilities at companies right now, you see a different story.
Always keep your protection up-to-date!: https://t.co/ieDcJAs7Zp #KasperskyInternetSecurity pic.twitter.com/dWHsPhCt6e
— Kaspersky (@kaspersky) November 26, 2014
The problem seems to be that we’re still vulnerable to some very old security problems. When I talk to fellow researchers I get the feeling even at security conferences that a lot of very important discussion is being silenced simply because they don’t involve shiny new, never seen before material. This has resulted in security researchers and computer professionals no longer sharing very interesting tools, ideas, tips, tricks and experience.
As security researchers we need to start taking more responsibility for what we talk about. What we write in our blogs and what we tell people is important. Don’t get me wrong, of course we need to continue researching into new threats, but we also need to look at older more persistent problems.
A fascinating story how @JacobyDavid hacked his smart home https://t.co/ckTyeMVLUp pic.twitter.com/q4LiqsBnA4
— Eugene Kaspersky (@e_kaspersky) September 25, 2014
But if we only ever talk publicly about the latest malware campaign or vulnerability, too many people will focus on protecting themselves against the latest threats while continuing to neglect basic problems like vulnerable systems, weak passwords, poor patch management, no network segmentation, unencrypted databases and, of course, default settings.
That said, I also want to emphasise that when I talk about ‘we’ as an industry, I am not just talking about security researchers but also administrators, developers, consultants and other IT boffins around the world. Our developers need to take more responsibility and pride in their code and system administrators and integrators need to make sure they fully understand their applications and operating systems before pressing that install button.
IT #security affects everyone!
Tweet
Even if you are a consumer, you still need to take this seriously. It affects you too. You have to assume ownership of your own IT security and not blame others if something goes wrong. After all, it might just be your weak password that compromised your security.
Don't forget to check your password! #PassChecker http://t.co/vXnwmfqSWh https://t.co/P9Pm0SGc4n
— Kaspersky (@kaspersky) October 22, 2014
We cannot fight the future without understanding the past. Maybe right now we are in an era where technology is actually growing faster than we can control it, but instead of trying to predict even deeper into the future, we need to take one step back and actually work with what we already know.