2007-02-01
Abstract
'I still believe that education is one of the best defences against any problem.' Eric Kedrosky, Nortel.
Copyright © 2007 Virus Bulletin
Malware keeps information security professionals very busy these days. Often as a result, we tend to get focused on one specific area of the problem. While focus is a good thing, it often leaves us blind to the larger picture; malware has become an epidemic. It is no longer just a technical issue, but is rather a socioeconomic issue affecting our personal lives, industries and possibly our national security. We, as security professionals from across all industries, need to address this epidemic accordingly. Working with our technical counterparts just won’t cut it, we need to educate, and then work with our citizens and organizations to tackle this problem.
Turn on the TV, or listen to the latest podcast, and on a regular basis you will hear stories about the effects of malware on our citizens. Stories of people whose identities have been stolen, their bank accounts wiped out, their credit ratings demolished and their lives turned inside out. There are also stories of the latest super virus spreading around the world, exploiting the ‘vulnerability du jour’ in our common software applications. For those who are not fully comfortable with computers and the Internet, it paints a pretty scary picture. As such, alware and its effects are eroding the confidence of our online society.
While there are many discussions around this, I still believe that education is the one of the best defences against any problem. As security professionals we can’t do it all by ourselves, and in turn the worst thing that we can do is give up on our citizens. Thus, it is our task to ensure that our citizens truly understand the personal risks and consequences of malware. It is going to take some time, a lot of creativity and hard work, but in the end we’ll get there.
Industry is another key pillar of any society. As with individuals, many corporations underestimate the impact of being under attack and infested by malware. Malware infections within a company are more that just a nuisance; they cost big money. In 2004 it was reported that 'malware ... cost global businesses between $169bn and $204bn. (http://www.vnunet.com/vnunet/news/2126635/cost-malware-soars-166bn-2004).
Malware incidents can also be an issue of national security. Today’s cyber spies often use malware to get their hands on corporate trade secrets and classified information. With this information they can gain a competitive advantage against the company or even put it out of business. It is apparent that such industrial espionage could even have national security implications. During the Congressional hearings that preceded the 1996 Economic Espionage Act (EEA), Louis Freeh, former Director of the FBI, is quoted as saying ‘Economic Espionage is the greatest threat to our national security since the cold war’ (http://www.economicespionage.com/Introduction.html). Again, I believe that the problem here is a lack of education and communication.
Many corporations see information security as costly and may not take it as seriously as they should. As security professionals we do a great job of keeping our customers safe and secure through our products and services, but we need to go a step further. We need to educate our industry and business leaders on the threats malware poses not only to their bottom line, but possibly to their very existence and even their national security. Our challenge is to educate them in a manner in which they, as business leaders, understand. It is only once we are all of the same understanding that we can cooperate and work together to fight the malware epidemic.
Malware invades too many personal lives, is estimated to cost our corporations billions of dollars and is reported to have become an issue of national security. The problem has grown to the extent that we, the information security professionals, cannot fight it alone. We need actively to engage our citizens, corporate leaders, government officials and organizations to educate them about the risks that malware poses and the consequences that may arise if these risks are ignored. When our communities are more educated on the impacts of malware, we can unite and fight more efficiently and effectively. So I encourage every one of you: don’t give up, keep up the fight and keep the lines of communication open. At times it may not be easy, but it will get better and will be worth it in the end.
