Whilst browsing the twitter blizzard this morning, I came on the article about the attack on the Cambodian Government:
As luck would have it, I came on this just after I had fielded an attempted social engineering call on my home phone from a delinquent pretending to sell me Satellite TV. This mongrel was pretending to update my account in return for my credit card details (despite the fact that I pay by direct debit). To begin with, he was very plausible and quite credible. At the time, I gave him a flea in the ear and moved on – though had that attack (and that is what it was) been successful, it could have cost me or one of the organisations with whom I do business many thousands of pounds.
Whilst traveling to work, It struck me that he would probably have got away with it with many people I know and it gave me pause for thought about safety in the environment in which we all live.
Whilst this type of anarchist bullying, fraud and banditry is morally repugnant in almost any culture (see my previous post on bullying) – I believe there is a positive that we can draw from this; a culture of increased threat awareness. The Information Security discipline has long been hamstrung by complacency; when the difficult decision about resourcing security controls has been tabled, security has long been consigned to the nice to have but not urgent list. This flies in the face of reality where the threat is real and people, companies and governments are being attacked on a daily basis.
Though things have got better in the past couple of years – we still see corporate heads being stuck in the sand when budgets are set. This is mirrored in our private behavior- I still remain staggered by the people who still do not have up to date anti virus software on their home computers because of the cost (or in some cases the brand of their computer!). In my experience, this complacency has often been driven by the lack of a perceived threat of sufficient relevance.
By behaving like mad dogs, hactivist organisations have brought a frontier feeling to business, certainly any organisation which does business or interacts with targetable organisations or people – (and when we look at our value chain honestly, this includes most of us). This is exacerbated by the value of information crime to the thieving mongrels of the professional criminal community who do a very good job of bringing the frontier spirit to our homes, our children and our parents.
When we look at it frankly – though we live in a world where we are wrapped the cotton wool of health & Safety and trading standards, the one area where we really cannot rely on society for our safety is the information space (this is more than just Cyber). The information space, where we exist daily on our telephones, email, online banking and social networks and on which we depend for most of our critical life support, is effectively wild. We apply protection to various services on an individual basis, but cannot guarantee the safety of the environment. I was attacked (fortunately unsuccessfully) this morning in my own home, and I treated it as part of daily life. That is instructive.
We live in frontier country of the information environment and though there are rules, the bad guys don’t play by them. Whoever we are and wherever we are,our protection, and that of our families and companies is in our own hands. In the final analysis we cannot rely on society but must take responsibility for our own safety. This is a responsibility that we should probably take more seriously.