Fired up About FlameBuild on Skills to Mitigate Everyday Attacks
When we look at the latest cyber attacks, we are often impressed by those that demonstrate a certain level of skill and creativity. This is certainly the case with Flame, the newly discovered cyber espionage malware that has been described as the most complex ever discovered and has captured the attention of security professionals everywhere.
Flame appears to have been built by very smart and experienced cyber criminals or some nation state. Just looking at the way it works - how it infiltrates databases and gathers information - the focus is really on intelligence gathering.
It takes skill and manpower to root out these threats - the well-trained infantry, not the Special Forces.
It makes me wonder if we, and others in infosec, are barking up the wrong tree. We preach that we need smarter, more skilled and technical people to deal with the 'Flames' as they come. But I doubt we'll ever be in a position where individuals on the front lines, regardless of how smart they are, can prevent the consequences of a complex attack like Flame.
A lot of people are looking at the sophistication of Flame and saying that we need more top-skilled experts and researchers, like the military's Special Forces. But I would argue that we can't protect an entire coastline with elite forces. And given the fact that most attacks are significantly less complex than Flame, we don't need to do so.
Having the correct skills in the right positions is key, and we simply can't be true to that axiom when there are not enough people in any category to serve our diverse and unique needs.
Yes, we need elite researchers and defenders to analyze and develop defenses for the occasional extraordinary attack like Flame. But we also need the support teams, the general soldiers, and the various specialties to flesh out our total defense.
Since we'll probably never have enough elite forces to stay ahead of the cyber threats, we need to consider ways to leverage our regular infantry - our army of over 86,000 certified security professionals.
These practitioners are immersed in building better and more secure applications and software from the start. By improving our software security, installing compliance controls, and keeping our systems configured appropriately, we can reduce the overall vulnerability of our IT infrastructure.
We may have to sacrifice some on the user friendliness and extreme functionality our end users enjoy today, but that's a small price to pay for ultimately greater freedom and security.
Building a strong cyber defense means building a workforce that has the skills to handle the vast majority of threats to our data like malware or hackers seeking financial information. These common threats may not seem as innovative and exciting as Flame, but they are the most likely threats to your data and your users.
It takes skill and manpower to root out these threats - the well-trained infantry, not the Special Forces - and the proper tools, in the form of secure applications and software code.
Improving security is not about smart people alone; we have to make better software and build security into the design of applications so they will be less vulnerable to attack.
We also need well-trained and certified people who are capable of recognizing and mitigating the 99 percent of exploits that aren't as sophisticated as Flame.
In the end, it only takes one successful exploit to breach your data - and for most enterprises, it's the everyday attacks, not the Flames that are most likely to put your IT infrastructure and your precious data in jeopardy.
It is time to bring our trained and certified 'hunters and gatherers' together with the systems development community to help our end users operate with less risk in a now completely cyber world.
Tipton is the Executive Director for (ISC)2, the largest not-for-profit membership body of certified information security professionals worldwide, with more than 85,000 members in more than 135 countries.