Monday, April 23, 2012

Monkey in the Middle

Imagine a monkey with a bunch of bananas. Now imagine a monkey with a bunch of bananas trying to defend them from another monkey. I’m sure he would put the bananas behind him and keep his eyes on the other monkey trying to steal his bananas. Well now imagine a monkey with a bunch of bananas and some other monkey friends helping him to try to defend the bananas from another monkey. The first monkey has his eyes on the monkey trying to steal the bananas, but who is watching the monkey friends? This is the problem with IT network security.

I saw an article today written about a security survey provided by Bit9. You can read the story here. There were a lot of interesting numbers in the survey that stuck out to me. Most interesting to me? Nearly 2/3rds of IT security professionals worldwide think Anonymous or another hacktivist group will attack them in the next 6 months, but only 1/3rd of the same people feel an employee is a likely threat.

It seems to me we are watching the wrong monkeys. Not that we can ignore the “professional hacker”, of course we have to secure the network. Firewalls, NAC, VPNs, all play a part, but later in the article it is reported that only 11% of the security professionals worry about the common attack methods used by hactivist groups. The biggest fear of attack by 62% of the IT security professionals surveyed is targeted attacks. Targeted attacks are things like malware and Phishing attacks.

So unless an IT department is installing Malware, it seems to me that this is being loaded by the end user. So while watching the monkey trying to steal our bananas, and trying to keep our company off the evening news, we let the other monkeys steal our bananas, and put our company on the evening news.

Ford Motor Company used to have a motto in the 80s, “Quality is job one”. Today all companies should have the motto, “Security is job one”. Security is everyone’s job, not just the security division of the IT department. What do you secure? The PCs? The servers? Hardware? Software? I say the data. We live in a world of always on, always connected, always working.

So however we access the data, wherever we access the data, whoever accesses the data, we have to secure the data. Everyone has the secure the data, from the CEO to the janitorial staff. More sensitive data is viewed inappropriately because of passwords on sticky notes or non-shredded business documents than hactivist attacks.

Watch the bananas Monkey, watch the bananas…