I am not what you would call a normal computer user; in fact, I would even put myself above the so-called power users. I have worked in the IT field for the last 19 years of my life and during that time, I have seen a large swath of issues facing IT managers regarding security threats. These threats range from the benign to outright dangerous data destroying type. Therefore, what is the most dangerous types of security threats faced by IT managers today, let’s take a look.
Number one on my list is computer users; they are their own worst enemy when it comes to computer security. Most people do not want to be bothered by the complexity of securing their computers and ensuring the safety of their network. In fact, they just want things to work when they try to do something and if system security polices get in their way, they will just try to find a way around it. Computer security experts agree that you should never put a storage device on your system unless you know for a fact what is on the device.
However, a study conducted by the Department of Homeland Security reviled that when random media was left in the parking lot outside government buildings that of the media that was picked up by employees that 60% of them plugged the devices into their government computers to see what was on them. Furthermore, if the media had an official logo on it the connection rate went up to 90% (Cliff Edwards, 2011). Even train personal have done this as it is human nature to want to discover what is on the device and hackers constantly relay on human nature to provide the weakness needed to break into a system.
Second on my list is software that has not had a proper security audit conducted on it. Securing software against attacks is the last thing most software programmers are worried about when writing code. It is like building a house in a bad neighborhood locking the doors but leaving the windows open. Sure, you blocked the most obvious way in but to an experienced criminal you left about ten other ways inside your house. A grate example of this was a piece of software that is critical to the security of the internet called OpenSSL.
OpenSSL was found to be vulnerable to a bug that was called Heartbleed, which was nothing more than a coding error that broke the entire security of the crypto package (Goldman, 2014). As you can see this was not some malicious hacker trying to break the system but an honest mistake made by a programmer. The bug was entered into the OpenSSL code base on 31 December 2011 and lacked some input validation code (Welch, 2014). For a piece of software used by a large number of websites on the internet you would think that it would be well funded and routinely audited, however this turned out not to be the case.
With only one full time developer at the time and very little funding a security audit was the least of the concerns of the project managers. It was not until after the discovery of this vulnerability in the code base that they were able to get the funds that enabled them to conduct a full security audit of the code base (Brodkin, 2014). As you can see some times the threat is not from the outside but from the software that you trust and use on a daily bases.
“All your base are belong to us (h2g2, 2007)”. It is not only the criminal hackers and script kiddie that you have to worry about. The governments of the world have been slowly building cyber armies developing advance malware for use against individuals and nation states. This is my third most dangerous threat to computer security. Governments have time money and resources on hand to crack your system, and there is little that you can do to stop them short of asking your government for help to stop the intrusion. They develop this malware to conduct intelligence gathering operations, disrupt industrial systems, and or economic espionage.
The three major players in this global cyber war are United States, China, and Russia. Hacking on a government level has been going on since the dawn of time. However, it has only come into its own in the last ten years. With the emergence of malware such as Flame and Stuxnet from US government operations that we can see the quality and effectiveness of the malware that is out in the wild. Stuxnet is weaponized malware designed to destroy one type of target whereas flame is an intelligence gathering type of malware.
Stuxnet was the eye opener to the world that government malware was out in force (Clayton). What makes government malware so dangerous is the fact that the developers have access to the resources necessary to find the weakness in the target software using zero day attacks of which Stuxnet used four zero days to gain access to its target (Naraine, 2010). Secondly most experts would agree that it could not be written by petty hackers as it would of taken way to many resources to complete. Furthermore, analysts say it probably took at least six top-notch programmers six months to write it (Cherry, 2010). With this in mind you cannot hope to stop, government sponsored hacking of your systems, you can only hope to mitigate the damage and contain it if it does happen.
I have had to deal with all of these issues from uneducated users to Heartbleed, and the Stuxnet malware. In addition, any number of other security issues that are out there from malicious to the non-malicious threats. What you can do about them varies greatly depending on what your fire of the day is. But by following the 80/20 rule you can keep 80% of the threats at by focusing on mitigating the top 20% of security threats.
Bibliography
Brodkin, J. (2014, 05 29). OpenSSL to get a security audit and two full-time developers. Retrieved from Ars Technica: http://arstechnica.com/information-technology/2014/05/openssl-to-get-a-security-audit-and-two-full-time-developers/
Cherry, S. (2010, 10 13). How Stuxnet Is Rewriting the Cyberterrorism Playbook. Retrieved from IEEE Spectrum: http://spectrum.ieee.org/podcast/telecom/security/how-stuxnet-is-rewriting-the-cyberterrorism-playbook
Clayton, M. (n.d.). Stuxnet malware is ‘weapon’ out to destroy … Iran’s Bushehr nuclear plant? Retrieved from The Christian Science Monitor: http://www.csmonitor.com/USA/2010/0921/Stuxnet-malware-is-weapon-out-to-destroy-Iran-s-Bushehr-nuclear-plant
Cliff Edwards, O. K. (2011, 06 27). Human Errors Fuel Hacking as Test Shows Nothing Stops Idiocy . Retrieved from Bloomburg: http://www.bloomberg.com/news/2011-06-27/human-errors-fuel-hacking-as-test-shows-nothing-prevents-idiocy.html
Goldman, A. (2014, 04 12). It’s not a fun week to work at OpenSSL. Retrieved from Ars Technica: http://arstechnica.com/information-technology/2014/04/its-not-a-fun-week-to-work-at-openssl/
h2g2. (2007, 02 13). All Your Base Are Belong To Us. Retrieved from h2g2 The Hitchhiker’s Guide to the Galaxy: http://h2g2.com/edited_entry/A19147205
Naraine, R. (2010, 09 14). Stuxnet attackers used 4 Windows zero-day exploits. Retrieved from ZD Net: http://www.zdnet.com/blog/security/stuxnet-attackers-used-4-windows-zero-day-exploits/7347
Welch, C. (2014, 04 10). ‘Trivial’ mistake that caused Heartbleed crisis highlights fragility of the web. Retrieved from The Verge: http://www.theverge.com/2014/4/10/5600744/heartbleed-crisis-highlights-fragility-of-web-security