I Don't Need Any Security! Who Wants to Hurt Me?

April 15, 2012

Imagine a world free of criminals where every single soul would obey the "law" and never resort to manipulate or break it. If there were no criminals, there would be no crime and hence the world would never think of having the need of security. But unfortunately, that is not the case in the real world as we know it. We all need security, right from having a password on our cell phones to building the most sophisticated defense system through Air force, the Navy or the Marines to protect the nation from internal and foreign threat.

Same is true in our cyber society, but there are more in numbers who wished security should be less of an overhead than those who genuinely feel that its beneficial to build a robust secure architecture. The cyber society is again divided into, let’s say, different castes or religion and they can be termed as the Administrators, Programmers, Consultants, Hackers, Spammers and the End Users

The "Admins" feel that implementing security and compliance make them do all the not-so-important and unnecessary work that would otherwise have no impact to the organization's performance but rather a more burden and overhead of having to do needless things to accomplish a task. The recently published report, Second Annual Cost of Cyber Crime Study, by the Poneman Institute, a U.S. based information security policy research center states that "over the past year, the median cost of cyber-crime increased by 56 percent and now costs companies an average of $6 million per year." Clearly, there is a need for administrators to ensure they beef up their security.

The "Programmers" don’t care about security. They would only focus on functionality and meeting their development deadlines. They want business to start ASAP and once it is started, only then they would worry about security not knowing the universal truth that security must be built into the code throughout the Software Development Life Cycle. Below is an excerpt from the 2011 Global Security Statistics and Trends by Charles Henderson from Trustwave that gives an idea for why and how important it is to encourage programmers to learn and maintain secure coding practices.

This habit gives advantage to "Consultants" like us who make their bread and butter consulting, auditing, reporting and sometimes helping corporates fill security holes or give new ideas on how to transform technology in an organization into a business enabler. In the world of Information Technology (IT), one thing that needs to be in common is knowledge and technical know-how of how the system works to be even qualified for consulting corporates in the right direction. While most consultants have a bachelor's degree in IT or computer science and relevant experience, few hold industry standard certifications such as CISA or CISSP. According to the Bureau of Labor Statistics (BLS), in addition to computer-networking and IT skills, security consultants would also need to have qualities like ingenuity, initiative, stress tolerance, attention to detail, persistence, self-control, adaptability, leadership skills and the ability to work independently.

The source of all problems and the only reason why security exists are due to the bad guys called "Hackers" who wants to either bring harm to systems and networks or make profit by exploiting vulnerabilities that system creators are unaware of. Stuxnet is an example of the first weapon made entirely out of code that has the ability to crash power grids, destroy oil pipelines or change pressure inside nuclear reactors. The biggest threat to a nation's economy comes from Advanced Persistent Threats (APT) which are highly sophisticated and often government sponsored or funded by large organizations. Cisco's 2011 Global Threat Report revealed that the overall cost of targeted attacks to organizations worldwide is $1.29 billion annually and many of these breaches resulted from advanced persistent threats.

The most irritating of the lot are "Spammers". You may almost get convinced that you have won a Billion dollars just because some rich dying old man liked your face and thought of writing his entire property in your name, but in the end you lose your own money. They try to sell you all kinds of things through spamming as it is an economically viable option because advertisers have no operating costs beyond the management of their mailing lists, and it is difficult to hold senders accountable for their mass mailings. Last year, the estimated figure for spam messages was around seven trillion and almost 60% of Internet traffic were reported to be spam. From the 2011 Cisco Security Annual Report and according to Cisco Security Intelligence Operations (SIO), spam volume dropped from more than 379 billion messages daily to about 124 billion messages daily between August 2010 and November 2011 mainly due to spammers preference for targeted campaigns. Cisco SIO estimates that the cybercriminal benefit resulting from traditional mass email-based attacks declined more than 50 percent (on an annualized basis) from June 2010 to June 2011—from US$1.1 billion to US$500 million.

The report also highlights spam volume by country as shown in the below figure.

It is in interesting to note however that the report did not mention which country ranked in the 6th position. Comment if you know the answer and I will tell you who gets the prize

It seems like “Security” is now the fourth item after food, clothing and shelter in the list of basic necessity without which the innocent “End User” could be left vulnerable to Hackers or Spammers because the Admins were lazy to do their job or the Programmers forgot to encrypt his passwords in the database and the Consultant was not able to detect a fake social engineering website that was setup to capture his banking credentials. When it comes to security, a proactive approach is preferred over reactive. Having said that, installing anti-virus software, firewalls and intrusion detection/prevention systems is not all it takes secure IT assets but a lot more than that.

The Armageddon of Cyber Security

November 23, 2010

War...Huh! What is it good for? Absolutely SOMETHING! The question on everybody's mind "When will it end?" is now slowly changing to "How will it end?". A security professional lives more like a life of a soldier fighting at the border, only difference is, the enemies shoot syn packets at our computers which bleeds from their open ports. Once bled, they keep shooting all kinds of probes untill its hacked or all bled out (DoS).

An evident fact in our cyber society is that the "Bad" is always ...

Continue reading...

You Can Hack But You Can't Hide

July 7, 2010

I thought this is a very interesting title for discussion but the whole idea is to debate on whether "you can" or "you can't hide". Now that the hackers around the globe have more sophisticated Hack tools under their belt, spoofing your identity has become even more easier than ever.

Mature hackers, unlike script kiddies, will always think twice before trying to break in a target system. They only fear what could happen if at all they get caught. “Law enforcement relies on the corporate s...

Continue reading...

1981 Indian Websites Defaced In Just Three Months

April 12, 2010

As per the data collected by CERT-In, a government agency of the Indian Community for responding to computer security incidents as and when they occur, reported that a total of 1981 websites were defaced in the first three months of 2010.

Website defacement in general is a kind of an attack by hackers that changes the visual apperance of a web page or replaces the real webpage of a website with their own.
Comparing the results with past trends, I am not really surprised at these statistics...

Continue reading...

Gmail Introduces Suspicious Activity Warning

March 26, 2010

Recently, My gmail account was hacked by some botnet which sent out e-mails to all my contact asking them to check out a website. I only realized this when I checked my gmail "Sent Mail" folder and had to immediately send a warning message to all my contacts telling them that my account was hacked and not to click on any links from my previous mails.

I changed the password which solved the issue, but who knows, some other botnet might just be able to bruteforce My password and get me in trou...

Continue reading...

China warns Google to obey law

March 15, 2010

Promising consequences if Google flouts China's censorship laws, Chinese authorities also chide the U.S. for its human rights record
By Thomas Claburn, InformationWeek USA

A top official of the Chinese Ministry of Industry and Information Technology (MIIT) recently warned Google that it will face consequences if it fails to obey Chinese laws.

According to an Associate Press report, Li Yizhong, head of the MIIT, said, "If you want to do something that disobeys Chinese law and regulations, you ...

Continue reading...

Oscars – the new vehicle for hackers to spread attacks

March 9, 2010

IT security and control firm Sophos is warning that hackers are exploiting interest in last night's Oscar film awards ceremony to infect the computers of unsuspecting computer users.

According to the report "movie-loving Internet users are searching the web for information and gossip about the Academy Award winners, making phrases like "Oscars Winners" one of the most commonly searched for phrases on the Internet.  However, using SEO (search engine optimisation) techniques, hackers have create...

Continue reading...

Census Is Getting Too Personal

March 8, 2010

Over the next couple weeks you're gonna be getting a 2010 census letter in your mailbox and then a follow up call or visitor from a census worker. But beware, there are con artists out there that are looking this year as the census year and thinking as a gold mine opportunity to steal your private information. Apparently this happens every ten years. Now the big question is that what level of authorization do these Bureaucrats have to access our private/confidential information.


Continue reading...

United States Department of Defense Embraces Hacker Certification to Protect US Interests

March 2, 2010
The U.S. Department of Defense (DoD) announces the official approval of the EC-Council Certified Ethical Hacker (CEH) certification program as a new baseline skills requirement for U.S.cyber defenders. Specifically, the new Certified Ethical Hacker program is required for the DoD's computer network defenders (CND's), a specialized personnel classification within the DoD's information assurance workforce.
The Certified Ethical Hacker requirement falls under the auspices of DoD Directive 8570 I...

Continue reading...

A rise in cyber attacks by one third saw 100 per cent of enterprises experience cyber losses in 2009

February 25, 2010

Under half of organisations rate security as their top issue, while three quarters experienced cyber attacks in the last 12 months.

According to Symantec's 2010 State of Enterprise Security study, 75 per cent of enterprises experienced cyber attacks in the last 12 months and 36 per cent rated the attacks somewhat/highly effective. Also, there was a 29 per cent rise in reported attacks in the last 12 months.


It also found that 100 per cent of enterprises surveyed experienced cyber lo...

Continue reading...
Make a Free Website with Yola.