IT Security seems to bee the new buzz word around. Everyone is now focusing and spending immense amounts of money to improve their Security. Every vendor under the sun seems to have some sort of Security Certification program. Being it Cisco, Microsoft, Sun etc. IT Security is now the big focus of everyone.

But it wasn’t always that way and that’s what got us into this situation in the first place. IT Security is a big thing to reform and implement when you do not have an infrastructure into place. A lot of so-called professionals seem to think that IT Security means running Windows Update or doing an automatic update on Linux or Solaris or requiring a hugely complex password for users that change every 30 days.

But IT Security is complex field where a quick certification will not teach you to think rationally and use your expertise.

IT Security is a very proactive field. You have to stay on top of things and have to have a passion for this work. There are several factors that play into IT Security, not only locking everything down. Security is an ongoing process. As an IT professional you are entrusted to keep a process safe and your duty is it to do that to the best of your ability. That process consists of the three big letters in data preservation: Availability, Integrity and Confidentiality. These mean that you have to keep the data secure, available and uncorrupted. This sounds complex but with the right approach this is just a one time implementation and then just a regular refresh of the process.

Generally Management panics at some of the costs involved in the beginning because they fail to see the benefit in the long run. If your data is worth several man-years and it costs several thousand euros per hour if that data is unavailable then an investment of a few thousand euros is negligent considering that if your data is lost, compromised or unavailable, the costs can skyrocket for the recovery.

This is not the only aspect of IT Security however. One important factor that a lot of people always overlook or deem unimportant is User Education. It is much more easy to implement IT Security strategies and processes when the users are educated, to some degree, and know, also to some degree, what is going on. For example there are things that seem too simple but actually make things much more effective. One such thing is password policies. It is much more likely for the users to write their password down somewhere if it is too complex and has to be changed often. But if you make the password policies so that the password requirements are not too heavy or tell the users that they should be creative with their passwords, then they keep them in their head instead of a piece of paper which can be read by the cleaning people or anyone else for that matter.

It seems that we take a lot of things for granted and a lot of people seem not to care about IT Security. And that’s exactly why the Internet nowadays is a very dangerous place. It starts from Spam mail, Viruses, Worms all the way to the new threat, phishing. Recently someone who didn’t speak English too well called me and asked me if I could help him formulate a letter to someone in South Africa in order to help him getting some money out of the country. This is commonly known as a 419 scam and even though the stories in those emails outrageous people still fall for it and loose very large amounts of money to fraudsters.

Statistics show that over 30% of people click on links within spam messages and over 50% of people click on emails containing versions of “RE:” in the subject since they think these are answer mails to one they had sent before. General education, especially at the work place, would do wonders here. Even though spam filters get better and better, they are always reactive since spammers come up with new ways of evading them. The exact same thing goes for viruses. Amazingly many people click on the attachments within emails, even though they have no clue who sent it and why. It seems that IT Security’s strongest enemy is not anymore the failure of the firewall or Antivirus. It’s the failure of the human logic process and the blue eyed, blind trust that people seem to have into the Internet. IT security should encompass all the factors and should not rely on a single solution but be built like a house, several building blocks fit nicely together. These building blocks include things like: IT Security policy, Anti Virus, Firewall, Spam Filter and of course User Education.

This article has been first published at : Mainframe’s Website

Popularity: 1% [?]