The impasse of the security landscape and a persons state of mind.

Was reading up on the blog of a friend of mine, and came across an interesting article about (the rumor that are) botnets starting to focus on eBay. There are two linked articles: one about the botnets that are focusing eBay, and one about a case of identity theft.

Bear in mind the horror of going thru such a scenario. I guess when you’re reading this, that you’re an IT-minded person, but there are a lot of people out there… who are not. These people are vulnerable to such attacks, as they do not really care (rather understand) the need of computer security. Here I must admit that I haven’t been the lock down person myself in the past. But if I’m seeing the increase of trojans & botnets, then you have to wonder what’s coming to us.

When friends/family ask me for assistance with their IT worries, then I often check their computer for all sorts of malware. And the results are often discouraging, even when people have up-to-date anti virus software, and patched systems. There has always been one string of hope. I generally “suggested” them to install firefox/thunderbird, and gave them the following the advice:

“When you don’t know who sent you the mail, don’t open anything, and delete it!”

The people who followed up on those suggestions/advice are mostly the ones who have pretty clean systems. Yet the ones who insist on running all sorts of P2P related software (for downloading “god-knows-what”) are mostly infested with malware.

Next up are the corporate networks… I guess I can’t speak for the whole community, but in my career I’ve also had the function of system administrator within a European holding. The IT department was decently sized, yet overloaded with work (or badly prioritized? let’s keep that in the middle). The general rule was to get things done A S A P …

“Time costs money, and money is what the shareholders want…”

The things that are often neglected in those situations are security & documentation. It’s already had trying to persuade a business to invest in IT, let alone justify the costs of securing up the infrastructure. The CFO in question had a “nice” stop-phrase for security related items:

Why do we need to secure this? We are not a bank.

The above statements are not meant to portray a bad image of one of my past employers, but to sketch a situation of the general IT market. A lot of companies want to cut their costs… In addition IT departments from small/middle sized companies can’t always justify their cost. So some things get sacrificed, and those things are mostly the things that provide the fundamentals of the whole IT infrastructure.

Why chop at leafs, when one must dig at root? (Confucius)

Take this mentality in account, when looking at the potential risk described in the first paragraph… and one must not wonder why malware doesn’t cease to exist. A lot of people often blame Microsoft to write bad / unsecure code, but this isn’t the root of our issues. This is only the leaf of the tree. The problem of security lies from within, it lies at our roots, at the water that en lives our tree. The tree being our (global) IT infrastructure, and the water being the (justification of) resources of the IT department.