Print 20 comment(s) - last by Zaphod Beebleb.. on Jun 26 at 2:34 PM

The internet has fostered a new wave of crime, so we must join together to stomp it out

Most of us in the field of information security know the frustration of trying to get businesses and consumers to see the value proposition of security with little or no success.  Businesses typically see security as an unwanted expenditure while consumers for the most part are oblivious to security.  There are many reasons for this lack of interest and to be honest, security ranks right up there with a trip to the dentist or doing taxes.  Security is filled with industry-specific technical jargon and it's usually way too complicated.  More significant is the fact that the full impact of cyber attacks are not just borne by individual businesses and consumers that were attacked, but by society as a whole which can cost our economy billions of dollars a year.  Because people tend to only worry about their own costs, cybersecurity is often given too little priority or neglected altogether.

The commercialization and popularization of the Internet brought all the good and the bad of the physical world to cyberspace, but the bad elements of human civilization seem to be accelerated and amplified by the convenience and anonymity of the Internet.  It is a lot easier to commit crimes in cyberspace because everything on the Internet is literally no more than a tenth of a second away.  That means there is no such thing as a "bad neighborhood" on the Internet because the Internet is all one local neighborhood.  Finding potential victims on the Internet is often as simple as a Google search for specific telltale signs of vulnerability or simply spamming every mailbox on the planet because the cost of message delivery is practically nothing.

The threats on the Internet impact everyone from consumers to businesses to government and they involve everything from nuisances like spam to major attacks that can potentially cripple major portions of the Internet.  The Internet is filled with worms, viruses, and Trojan malware that seek to hijack personal computers, and the damage from hijacked computers goes far more than the victim of the hijacking because compromised computers are used to commit cybercrimes against many other computers.  While consumers have to worry about the theft of their identity and credit cards, the damage goes far beyond the individual whose information was stolen.  Any retailer unfortunate enough to sell their goods to the credit card thief has to eat the cost of the goods and this inevitably raises the price of goods for all consumers.

Businesses face have to defend against hackers in addition to all the threats that consumers face.  Corporate espionage is another major problem for any company with any significant holdings in intellectual property and losing this data reduces that company's competitiveness.  The data being targeted isn't limited to company secrets and intellectual property and it affects customer data as well.  That means customers and other businesses who are conned into accepting stolen credit cards are impacted as well.

Governments face major threats from foreign governments or individuals who hack for profit or ideology.  From website defacement to cyber espionage, governments have their hands full defending themselves in cyberspace.  Worse yet, the threats in cyberspace can potentially spill into the physical world if Supervisory Control And Data Acquisition (SCADA) systems that control critical infrastructure are attacked.  An attack that shuts down the power grid system on a hot day not only costs money, but thousands of people can die from overheating if they lose their air conditioners.  Next month at Blackhat 2009, security researcher Mike Davis will highlight many of the glaring weaknesses in smart grid implementations.  As with most of these security failures, the problem with smart grids stem from sloppy code implementation and weak or nonexistent authentication mechanisms.

President Obama's cybersecurity plan is a great start because it makes cybersecurity a national priority.  It also gives us a centralized place where independent security professionals and industry players can discuss and plan our defenses.  Obama's plan also calls a national breach disclosure law to make businesses more accountable for their insecurities, but excessive breach disclosure requirements which don't involve actual breaches should be avoided so that consumers aren't desensitized.  Government also needs to work beyond the borders of local, state, and national boundaries because the Internet knows no such borders.

Consumers can go a long ways to protect themselves just by avoiding pirated software which can often contain malicious software.  Software makers have a responsibility to stop using sloppy coding techniques and make security a priority from the ground up.  Web application providers have a responsibility to start defaulting to secure protocols so that web accounts aren't hijacked.  Search engine providers already play a role by warning users about unsafe destinations that are known to contain malicious content.  Network operators play a critical role in locating and convicting cyber criminals because they're the only ones that can provide network access logs.  Internet service providers can go a step further with Intrusion Detection Systems and gateway antivirus solutions that stop inbound and outbound malicious attacks before they reach their intended targets.

The lesson here is that everyone has a stake in the cybersecurity of the Internet because everyone pays the price for cyber insecurities.  The challenge is too great to be tackled alone by industry or government.  The Internet is critical to the social and economic welfare of the world and it needs a comprehensive and unified effort to keep it safe.

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

By mmcdonalataocdotgov on 6/24/2009 11:51:57 AM , Rating: 3
So the first several paragraphs are a basic introduction to the internet and why it is insecure, then a paragraph on some law that someone is proposing (didn't really get any specifics) then how we can all help out by doing what we've been told since 1995.

Okay, what is this noob lecture doing on a tech site? Shouldn't this be on Redbook or Woman's Day or something where they have never heard of this? I'm just sayin'.

RE: Wow.
By Laereom on 6/24/2009 12:44:03 PM , Rating: 2
The problem is that we're light on articles today, and someone had to post -something-. And to think that if it weren't for that damn TSMC screwing up their 40nm process, we'd be reading about AMD's DX11 graphics cards right now!

More pertinent to the article itself, I can't stand it when I hear people go on about how we all need to band together, so I dislike this article. I'll keep my own system secure and see to it that I only share my information with others who are at least reasonably secure. People banding together won't solve security problems -- it's people sitting in well-lit rooms til 10 o'clock at night developing good software, then working their posteriors off to sell it and/or promote it (if they're going the OSS route) which solves security problems.

RE: Wow.
By mmcdonalataocdotgov on 6/24/2009 2:32:25 PM , Rating: 2
As an application security officer, I agree completely.

RE: Wow.
By GeorgeOu on 6/24/2009 5:59:42 PM , Rating: 2
As a former engineer, I completely agree that it is the engineers who solve the problem. But where do you think you're going to get the budget and approval of your work if we don't all "band together" and if there isn't a greater awareness of this in the general public?

RE: Wow.
By mmcdonalataocdotgov on 6/25/2009 7:13:53 AM , Rating: 2
Fortuantely, in the government, there are regulations that specifically deal with an agencies' responsibility to use a security SDLC. It is not a matter of awareness, so much as taking the agency to task for its regulated duties. No ATO untless the SSDLC is met. There are great products out there like Telos Xacta that manage these requirements.

By Boze on 6/24/2009 8:40:53 AM , Rating: 5
Its a blast to look at, and probably a lot of fun to hang out with, but don't go into its dark recesses unless you're willing to get a disease.

By Ticholo on 6/24/2009 9:05:47 AM , Rating: 3
I'm confused now.
The Internet is a she-male loving lesbian that's immune to venereal diseases?!

By borowki2 on 6/24/2009 9:16:00 AM , Rating: 2
If we follow the author's advise and all join together to stomp on Lindsay Lohan's dark recesses, we'll be fine.

Treat cybercriminals like drug dealers
By crystal clear on 6/24/2009 10:00:04 AM , Rating: 1
The internet has fostered a new wave of crime, so we must join together to stomp it out

Time for action - set up regional "cybercrime" squads in the police depts ( Computer Crime Units ) just like teams that handle anti-terror operations or anti-drug operations.

We need "e-crime squads" who will detect/track/prosecute these criminals.

Consumers/buyers/users hit by fraud can lodge complaints to this squad.

Treat cyber criminals like drug dealers/sex offenders & in worst cases like terrorist.

Harsh penalties & swift response is the need of the hour.

For this the police depts need additional fundings/additional qualified manpower & training plus new laws that make their operations swift & effective.

We also need international co-operations wherby cybercriminals from Russia & China can be deported to the USA to face trial & be prosecuted.

By mmcdonalataocdotgov on 6/24/2009 11:55:41 AM , Rating: 1
Your post is either missing its [sarcasm][/sarcasm] or [strident naivete][/strident naivete] tags.

By aharris on 6/24/2009 6:22:12 PM , Rating: 2
Voting you up because I was thinking the exact same thing.



RE: Treat cybercriminals like drug dealers
By crystal clear on 6/24/2009 1:22:56 PM , Rating: 2
By mmcdonalataocdotgov on 6/24/2009 2:33:05 PM , Rating: 1
I stand by my post.

By Xavier434 on 6/24/2009 9:18:38 AM , Rating: 2
"Software makers have a responsibility to stop using sloppy coding techniques and make security a priority from the ground up."

This is a statement that I highly agree with. However, I also believe that it is very unrealistic for many reasons. To name a few...

1. Business dead lines do not always allow the time or funding for the kind of efficiency which really does work well.
2. Lack of knowledge and experience about how to do it right. Even those that have it will often fall behind because those breaching security tend to advance far faster that those trying to defend it.
3. Laziness in general

I realize those two examples can be argued on a case by case basis but that is not the point. The point is that both creating and maintaining proper cyber security is a very difficult, expensive, and ever changing task to do right. The only way which I can see the tables really turning in favor of software security would be to advance the ease, cost, and automation of the security. Not only does this need to happen at the user level but at the software designer's level too. If development tools and languages were both advanced and maintained to the point where software developers could write their code as near to "worry free" as possible when it comes to security without needing to be "in the know" then we will see much more universal cyber security everywhere. At the same time, those languages and tools need to be adopted universally as well.

Simply making them available for use is not good enough though. We need to make developers and businesses want to use them. We need to convince people that using them equates to more profit.

However, I realize there is little substance in this post. It is very general with few details which come even close to mapping out a real solution. The reason is because I don't have one lol. However, I do know that there is a ridiculous amount of money out there for the guys that finally come up with a way to make all that work and bring cyber security to the level it needs to be.

RE: Unrealistic
By crystal clear on 6/24/2009 10:12:16 AM , Rating: 2
Sloppy coding techniques are the results of companies outsourcing their work to countries like India for cheap labour costs.

Companies in their cost cutting frenzy to boost their profits use low grade programmmers,paying salaries that are 30% of that of a good quality programmers.

So cheap labour gives you low cost & low quality programmes

RE: Unrealistic
By aharris on 6/24/2009 6:25:16 PM , Rating: 2
Wait, I thought India's IT/CS grads were better than ours?

But all I wanna do is....
By AEvangel on 6/24/2009 2:28:12 PM , Rating: 2
Play WoW and DL porn...

By Zaphod Beeblebrox on 6/26/2009 2:34:42 PM , Rating: 2
Which illuminates the need for porn based MMORP.

The last thing we need
By BailoutBenny on 6/24/2009 7:40:21 PM , Rating: 2
is for the f*cking government to start legislating on this issue. Let people and businesses worry about their own security and don't force me to pay for it.

"Well, we didn't have anyone in line that got shot waiting for our system." -- Nintendo of America Vice President Perrin Kaplan

Related Articles

Copyright 2015 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki