IT Security isn’t just for the security professionals any longer.
Actually, it never was just for professionals. The fact that everyone should be paying attention to security is just increasingly obvious these days. Gone are the days when there is any excuse for saying things like, “I don’t have anything on my computer anyone wants.” It is increasingly obvious that, if nothing else, there are people out there who want your computer’s ability to send out spam and malware as part of a distributed botnet, sucking up your CPU clock cycles in the process.
It takes only the most rudimentary familiarity with the security threats on the Internet these days to be aware of that fact. Unfortunately, a great many people lack even that rudimentary level of security awareness. That’s one reason I talk about security so much: there are a lot of people out there who aren’t even aware they need any computer security knowledge at all. I hope to be able to help educate them.
I spend a lot of time trying to help educate those a step or two up from that level, too. Obviously, just getting everyone interested in security isn’t the sum total of my reasoning for my evangelical zeal. Weak spots in security knowledge exist at pretty much every level of awareness among those whose main professional focus is not security (and, to tell the truth, among many security professionals as well). There are a lot of widely-held incorrect assumptions that are at best distracting, and can be directly damaging. What you don’t know can hurt you. Though I obviously cannot address every single security myth and shortcoming, I hope to be able to help people see past the limited patterns of thought that lead them into making security mistakes — by addressing the underlying principles of good security practice.
Even that isn’t enough to explain why I expend so much effort trying to help others improve their security knowledge, however. There is also, for instance, the fact that IT professionals of all stripes need to be aware of the security impacts of their own areas of expertise, and how to ensure that their work contributes to better security, rather than detracting from it. Programmers need to learn to think like security professionals, to some extent, so that their influence on the architecture of the software they develop will tend toward greater security; network administrators and architects need to learn such skills to ensure that their implementations of networking technologies will not create terrible security debacles waiting to happen; Web developers need to think like a security professional, with all the practical paranoia that entails, so that they will realize the ways publicly accessible Web applications and services can be abused and twisted to nefarious ends, and plan accordingly.
All of this is more superficial than the ultimate need I feel for spreading security awareness as widely throughout the population as possible. The lynchpin for my entire desire to evangelize on behalf of security awareness and good security practice is the simple fact that anyone’s security problems impact everybody, with only extremely rare exceptions.
Spam, viruses, and denial of service attacks are problems with which everybody on the Internet has to deal, one way or another. It wouldn’t be such a big problem if it wasn’t for all the home computers infected and recruited into botnet armies.
Illicit and unconscionable activities such as child-pornography peddling create problems for society as a whole, and pretty much everyone in it. Stopping it means, among other things, shutting down the distributions channels — which, in many cases, means securing systems that have been hijacked to provide a “safe” means of distribution on someone else’s server without that person’s knowledge.
Anyone whose life is impacted by identity fraud knows how destructive that kind of intrusion into one’s life can be. So long as there are e-commerce sites out there whose Web pages are vulnerable to cross-site scripting attacks, we’re at risk of having our personally identifying information and private access data intercepted. To guard against that, we need to ensure that people do not create such opportunities for malicious security crackers to take advantage of poorly designed Web applications.
While I certainly want you to be safe from malicious security crackers and vandals for your own sake, that’s really only a secondary concern for me. My primary concern is simple, and selfish:
I don’t like being affected by spam, the social impact of many criminal activities facilitated by unauthorized access to others’ IT systems, and living in fear of being a target of identity fraud. I don’t like any of the other negative effects that spin off from various security issues people experience every single day, due in large part to their own ignorance, either. In short, I don’t want the mess created by your lack of good security practice to get all over my life.
So . . . learn something new about security today; keep an open mind, so that you will not find ourself rejecting important security concerns based on thinking made rigid by corporate marketing campaigns; keep yourself and your data safe. While you’re at it, help others do the same, for your own sake.