How do we improve Security?

We need a Renaissance of focus on Security.

I’m a Systems Engineer (http://www.fixvirus.com/about-us-full-story/) and teacher of Security Architecture (SEC020 at Professional Education Technology & Leadership Center at Washington university in Saint Louis)

So of course like a dentist looking at teeth (they can’t help it) I look at computers from a systems point of view.

Which is why I have created a method of testing the network here on this site: Test and audit your environment to make you safer    (A – Σ – Ω)

There is also a test of the wireless Access point areas:  Psi Service

Interesting to note that PCI Compliance is really just a set of common sense rules for IT.

What we have today is a set of difficult problems:

Look at this article: SCmagazine “Malware on Lime Crime Website“, payment cards compromised.

Another website was taken over by hackers.

We tell everyone to update or patch their systems but that is not always a 100% error free operation: InfoWorld story  there is some truth to the old story of difficult updates by Microsoft and other software vendors. The patches should fix a security or other bug problem, but not always. that is why one tests first before deploying to many systems across the environment.

win2006xpupdate Slide5 or otherwise known as WindowsXP update was used to install genuine advantage software (was actually a form of spyware).

(Slide11) December 2010 MS10-092 was an innocuous patch, designed to plug a hole in Windows Task Scheduler. And KB 2305420 has pages and pages of manual workarounds.

A serious problem that we have is Ransomware:

Threatpost has the story:

We have had a version of ransomware since the 1980’s, but its about to get more difficult, as here is an interesting snippet:

For all the attention that CryptoLocker and Cryptowall and the other variants have gotten from the media and security researchers, enterprises haven’t yet totally caught on to the severity of the threat. Much of the infection activity by crypto ransomware has targeted consumers thus far, as they’re more likely to pay the ransom to get their data back. But Ghosh said that’s likely to change soon.

The problem is that this clandestine criminal activity is netting millions of dollars, and thus we have to up our game to catch the criminal botnets and potential infection.

So there is a difficult problem, technological challenges (patches), organizational challenges (politics and resources to IT security/compliance), and finally the ultimate will to set up an environment of security instead of hoping it will not happen here.

There have been many stories in media that there is a shortage of cybersecurity professionals like in rand.org:

http://www.rand.org/news/press/2014/06/18.html

{“It’s largely a supply-and-demand problem,” said Martin Libicki, lead author of the study and senior management scientist at RAND, a nonprofit research organization. “As cyber attacks have increased and there is increased awareness of vulnerabilities, there is more demand for the professionals who can stop such attacks. But educating, recruiting, training and hiring these cybersecurity professionals takes time.”}

That is why a 20 year IT veteran can short-circuit a few steps for you…

 

http://oversitesentry.com/subscribe-with-us/ for a small fee

And I will help you become a Certified Ethical Hacker from EC-Council

 

certified-ethical-hacker-Logo

 

Advertisements