WILL IT END?
I have a fairly eclectic taste in
music, and I must admit I have recently started listening to a band
called the "Dropkick Murphys".
Well... I enjoy it anyway. They have a song called "The green fields of France", very
good and it is about World War 1. But there is this one verse..
And I can't help but
wonder oh Willie McBride,
Do all those
that lie here know why they died,
Did you really
believe them when they told you the cause,
Did you really
believe that this war would end wars?
Well the
suffring', the sorrow, the glory, the shame,
The killing and
dying it was all done in vain.
Oh Willie
McBride, it all happened again,
And again and
again and again and again!
Now leaving aside the significance
of the verse in the context of the song, it also seemed to me that it
spoke about a serious problem we have in IT security (bear with me
here). We have been telling business for a couple of years now that x threat is of the utmost
importance, that if you do not address x threat it will cripple your
business and that if you get y
protection all your worries will be over. We basically told them "that this war would end wars". The
problem is .. "it all happened again".
And why? Well it is very simple, we lied. And worse then that, people
believed us.
The truth is that there is no
silver bullet, there is no ultimate solution, no
nice-and-clearly-defined solution you can drop into a business to
secure it forever amen. But that is what businesses hear, vendors tell
them that ("Buy this product and you
will get no more spam"), their IT people tell them that ("Get a firewall and our troubles are over"),
auditors tell them that ("You are
compliant so do not worry"). So why do all these people who
should know better lie? Sometimes it is to make sales, it could be
because they do not know any better, or they could not care.
Right about now, there are a bunch
of people reading this going "Hey,
thats not me, I did not lie! I told them the war would never end..".
Now assuming I believe you (of course I do), why did nothing change?
Because business shares the blame. You see, they want to be lied to.
Business have had many people tell them the truth and if nothing else,
pure experience should have taught them what was what. But no, they
want nice simple answers, they do not want to hear "The only way to 100% eliminate spam is to
unplug the network cable from the email server.", they want to
manage by magazine, "Hey IT guy, buy
this because this article says it can stop all hacks", by
buzzwords "We need a cross-platform, e-portal application servicing
grid-setup", or -my personal favorite- the relativity principle "My son / cousin / niece / wife /
gardners-cousins-girfriends-hairdressers-brother can do...".
So we have on one hand the liars
and on the other the people who want to be lied to. The trick is which
came first?
So what can we do? We can tell the
truth, we can be honest. People may not like us, but I can promise you
this - You will never be wrong. You see, hacking will never stop, nor
will viruses or spam in fact the threats will mature, mutate and get
nastier. Viruses are a good example, 10 years ago a virus on your
machine could almost be funny, a bouncing ball across your screen or
some humorous text upon startup. Now days they steal personal
information, disable protection software, enable other malicious
software to be installed, allow your machine to be used for other
attacks and can even be used for blackmail purposes. Now any defense
that worked against the first level of threat has no hope against the
second.
You see, the war will never end, we
will always be working at securing networks and resources because
things change. Please realize that we and our defenses must change with
it, we should even try to change proactively. So security people,
tell the truth .. and business people, listen. Security threats will
happen again and we will need to defend against them, "
And again and again and again and
again!"