Cybersecurity Awareness Month: IT, too, takes a village…

October 19, 2009 - By Justin E. Gehrke

Well, it’s October! Along with celebrating Columbus’ discovery (or rediscovery, depending upon your historical view) of America and Halloween, we celebrate (of course you knew!) Cybersecurity Awareness Month. The sixth annual celebration is designed to bring public attention and focus to the growing importance of cybersecurity, as it applies to our daily lives. Why “our lives”? Well, over the past decade the amount of electronically archived and posted data and information has increased exponentially. With each passing month, our personal and national reliance on our cyber infrastructure continues to grow. Thusly, an initiative that was originally intended to help government and industry direct their attention to the security of information and the information infrastructure has evolved into a concept that applies to the lives of every person who owns, uses, or has information about them stored in a computer, server, database, or other electronic repository.

Geek Shui Personal Security Checklist

What are we supposed to do, though, during Cybersecurity Awareness Month? There is no History Channel documentary, workplace luncheon, or national holiday (though it would be nice). No, this month isn’t about parades or confetti. It’s about getting serious about protecting ourselves in our “virtual” worlds. Anyone who has had their identity stolen, their data erased by a virus, or their computer turned into a spamming zombie by a Botnet will tell you (if they know about it) that computer security is actually a topic requiring attention. Unfortunately, as most IT and INFOSEC professionals will tell you, there is no one single way to secure everything. There is no one place to visit that will contain everything you need to know about securing your “cyber” either. Businesses can, depending upon their budget and cognizance of the potential problems, hire IT professionals who are either dedicated to or at least have a working knowledge of how to secure a company’s electronic assets. Government agencies can ensure that IT professionals among its ranks are properly trained and educated.

So what is a regular person to do? You know. The one who has a desktop and laptop at home connected to DSL or Broadband, via wireless router. The one who has a teenager that things anything posted on the internet can be downloaded free and lawfully. Unfortunately, many of the Distributed Denial of Service (DDoS) attacks against high-profile webservers are not launched from business-based LANs. No, these zombie armies are often composed of otherwise innocent home computers that weren’t automatically patched by their Operating System’s update utility, did not have a local firewall (and I don’t mean the integrated Windows one), or have out-of-date (or no) virus protection. This highlights the IT industry’s big (but often not addressed) problem. We can take every required step and implement every possible measure to secure our business networks, but until we can ensure the majority of computer users at home do the same, the problem will continue. This is based on the fact that the number of desktop and laptop computers sold will only continue to increase as the economy rebounds and previously “disconnected” areas of the world move into the electronic age. Based on historical trends, this increase will result in an increase in the number of unprotected computers connected to the internet.

All right, we know what the problem is. How will we fix “IT”? Well, the answer is not all that complex. It is a fact that, as adults age, they become more set in there ways. This means that a young adult who does not learn to protect themselves “electronically” will, in all likelihood, become a middle-aged adult who follows the same bad practices. Despite the fact that many adults receive computer security awareness media (e.g. formal briefings, operating procedures, awareness videos, etc.) in the workplace, most do not take these values home with them, teach them to their families, and apply them to their personal computing lives. Stepping back from the situation and removing the “IT” focus can help us figure out a better way to address it, at an earlier and more influential stage. I am talking about childhood. When we wanted to make better drivers, we instituted driver’s education. When we wanted (or had to) address the issue of teen sex, we implemented sex education. Thusly, can’t it be said that the same can be achieved with computer security education?

Many schools are now beginning computer-based work (e.g. reading comprehension tests, basic computer skills, etc.) between Kindergarten and Second Grade. Add to this the number of little “Geeks in Training” who are learning to play online games at age four, and you have a budding generation of computer users who are ripe for education. If basic computer security skill overviews can be successfully integrated into and become a main component of basic computer skills, the process of becoming “computer smart” will become more intuitive and less arduous. Does this mean that we are going to create a generation of budding hackers? No, this is a ridiculous concept that may be mentioned by a few alarmists. By providing basic education at an early age and continuing it into the college years, secure computing practices can become a part of the normal learning and growth process. Will it require educators to adjust their already crammed schedules? Yes. Will it be more effective if private industry IT and INFOSEC professionals volunteer their time periodically at local schools, to assist educators? Yes. Will it require parents to become better-educated regarding computer security, in order to set a positive example? Yes. In the words of Hillary Rodham Clinton, U.S. Secretary of State and former First Lady, though, “It takes a village.” Applying this same concept will reap immeasurable benefits over the long term.

Does all of this early childhood education mean we have written off adults as “unteachable”? Of course not! Public libraries, social organizations, and other non-profits should still provide basic computer use and security training for adults that cannot afford to or will not pay for it. Companies will continue to provide initial and recurring computer security education and employ IT professionals who can protect their company’s infrastructure and data it contains. With the integration of these concepts at an early age, though, we can really be said to be investing in the employee’s of the future. Think of it as an insurance policy. Yes, we’ll pay annually in our time and effort, but, ultimately, we’ll guarantee a more “virtually” secure society in the future.

Just as with any other problem, society has a duty to make sure its citizens can recognize a problem and its root causes, in order to formulate an educated plan to address, resolve, and prevent it from becoming pervasive, anew. In summary, I recognize my role in security information now and ensuring that others are educated regarding their role. This is one of my primary motives for blogging. Based on this, I call on my IT industry counterparts and their employers to do the same. Non-IT professionals can help as well, by sending or presenting this article or ones similar to it to educators, Parent Teacher Organizations, or local and state government representatives. Ultimately, it’s about more than protecting our national infrastructure and ensuring homeland security. It’s about reeducating the current generation and proactively educating future ones. Together, we can make sure that Cybersecurity Awareness receives the focus it deserves, 365 days a year.

Want to learn more about Cybersecurity Awareness month? Visit the following links and forward them on to others.

The White House Blog: http://www.whitehouse.gov/blog/National-Cybersecurity-Awareness-Month/

Department of Homeland Security Cybersecurity Awareness Month Release: http://www.dhs.gov/files/programs/gc_1158611596104.shtm

SANS Internet Storm Center Diary (Daily Posts on Cybersecurity Awareness): http://isc.sans.org/

Justin E. Gehrke (CISSP, CIWSP, MCSA, CompTIA Security+/Project+/A+) is the founder of Geek Shui Living. As a right and left-brained geek, he regularly blogs on IT and Information Security related issues and is available for consulting in the areas of Information Technology, Network Security, and creative web design and development. He really does appreciate feedback from the computing masses, so feel free to transmit your packets to him, via the Geek Shui Living Contact page.