So, fully meaning to be alarmist, the one thing that has been truest for me in IT this year is that the third world war is already being fought on the Internet. The bad guys are multiplying, becoming more professional and more sophisticated and more dangerous every day. Some are state-sponsored. Some are terrorists or NGO-sponsored. And some are just plain criminals. But they are out there. They are working 24×7. And they are attacking us millions of times a day.
You have already been hacked, p0wned and exfiltrated. You may not have discovered it but it has already happened to most sites. If you’re lucky, you’ve just been embarrassed. The bad guys are using social engineering, known vulnerabilities and our own inability to keep up with the volume of attacks to get us.
In my own planning for this, I’m looking at three primary strategies:
1) Create alliances. Our vendor partners see what is going on across a wider field of battle. They see when an attack hits fifty sites in the US. We see when it hits us or a friend. We need to take advantage of every shred of capability that exists out there.
2) Lower the threat profile. Ten years ago, we just put everything out on the Internet by default. Twenty years ago we were just ending the era of the walled garden (AOL, CompuServe) where everything you needed came from one provider inside their own network. A hybrid strategy is now required where only after careful risk assessment do we put things on the open Internet. The vast majority of our technology does not need to be exposed to the Internet at all.
3) Centralize. We’ve been steadily getting rid of departmental Web servers and email servers for years. We need to limit that not just to the servers but also to the services that have access to the Internet. Part of the issue is that relatively under-resourced IT departments are being overwhelmed. Continuing to allow redundant services and servers saps resources and creates additional attack vectors.
The Internet is a fantastic thing. But it’s become a very dangerous place and while I still enjoy it tremendously, we have to start being much more careful with our use of it.
I think it’s often poor writing to use highly dramatic military analogies. But this is a contest where the bad guys are winning, where we are constantly under attack and battling. I don’t think other analogies are quite as apt.
No one (well almost no one) takes security lightly anymore. But the game has changed and become far more intense with far bigger stakes. So, I’m using WW3 as the analogy until I find a better one.