Security Ripcord

If you are a fan of old western movies you will probably know what I am talking about.  Whenever the cowboys were fighting the Indians there was always a scene where the cowboys were on the run or moving to the next trading post.  Eventually one of the cowboys would fall behind to stare off into the distance, light a cigarette, or get a drink of water.  Invariably this cowboy was picked off by the trailing Indians.  Either by arrow, bullet, or jumping off a bolder to dismount the cowboy from his horse.  Of course, this cowboy was never a big name in the movie and nobody really missed him when he was gone.

This scenario makes me think of small and medium sized businesses and their positions in the security hierarchy.   I very much doubt that we will ever be able to get all these businesses up to speed and create a security monoculture.  No, I don’t think this is the goal we are striving for but with time, effort, good standards, and supporting regulations we can get the larger companies in line or, at least, on the same sheet of music.  Unfortunately the small and medium sized businesses will always be the trailing cowboy who gets picked off.

Why do I think this?  Well, I have come to this conclusion through my own studies.  As I progress in the security industry I find myself striving to familiarize myself with as much of the basics that I can.  There is risk management, security plan development, assessments, system architecture, network and system hardening, application security, web application security, data classification and protection, training, etc.  Of course being a generalist or a “Jack of all trades” is just the way I am.  Although I am not trying to learn everything about everything I have recently come to the realization of just how frackin’ big complex this industry is.  Being responsible for a lot of this puts you into the position where you have to come to this realization.  And it is at this point that you realize that you need good people backing up your organization.  You need somebody who can manage how your organization is going to approach and address these issues.  That person will have to hire or train individuals to become familiar or even experts in certain security aspects so that they can properly advise the manager.  These individuals will come together to form a security team capable of addressing most issues.

Why has this situation come about?  Well, this is the way that the attackers and criminals approach the situation.  Some one out there has a need or desire that can only be fulfilled by compromising information through physical or technological means.  Although they can do some of the work themselves many situations that deal with technology quickly become very complex.  This is where they bring in experts.  These experts usually have a specialty like social engineering, web application cracking, network and system penetration, wireless exploitation, and more.  Certainly as these experts mature they branch out into other areas but generally they start (as security researchers do) in one field that they master.

These malicious experts are the Indians and, as I have stated, the small and medium sized businesses are the stray cowboys.  These businesses do not have the resources (yes, generally) to acquire or train security experts with the expertise required to properly defend against all scenarios.  Eventually they will stop to watch the sun set, smoke a cigarette, or sneak a sip of whiskey.

Although this post might seem fairly defeatist in nature the point I am trying to make is that there are going to be casualties.  There are always going to be security breaches, stolen laptops, data leaks, and any number of other security related incidents.  The public has to come to this realization and take some additional responsibility for their own, personal, information.  They need to start questioning where their credit card is going and if their information is being stored in a database.  They have to start showing their concerns through their pocketbooks and only selecting companies with which they feel comfortable and safe.  This will force the small and medium sized businesses to start paying attention to the security industry and set a little time, effort, and even money aside to address some of the security concerns.  These businesses need to start asking questions about the software they are buying or having developed.  They need to ask for third party security assessments from their hosting companies.  They need to start being proactive instead of reactive.

Nobody has to be that trailing cowboy.  All it takes is a little extra effort to stay with the group.  Certainly there can still be attacks but at least you will be more prepared and potentially in a defensible position.  Because if you do find yourself trailing, you are going to be picked off.  Although you might be missed for a little while you will basically just become one more cowboy lying in the ditch while everybody else moves on.  And lets face it, if you are going to get it, most of us are hoping that the Indian jumping off the boulder gets you.  Its just the coolest way to get taken out.

Go forth and do good things,
Cutaway

Technorati Tags: Security Ripcord

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported.

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.