The more I follow network security issues, the bigger the job of security appears. Online business activity has been with us since the 1990‘s and many managerial structures still don’t have Chief Information Officers, much less Chief Information Security Officers. Even if these positions exist, authority is limited. As long as InfoSec isn’t represented in the board room (and is considered a second-tier matter - a cost to be minimized), as users we’re on our own. Other than compliance with policy in order to satisfy the boss, there is a responsibility to ourselves to handle security better than do our organizations.
My latest formula with which to observe the broad security situation is this: there are three zones of concern, namely You, Them and the Connection between You and Them.
You - this includes any account or device under your direct control or ownership.
Your Connection - this is the Internet Service Provider, or more properly the server(s) through which you get to the outside world, operated by their administrator or administrators.
Them - this is the other end of the conversation, including businesses, government entities or other individuals or groups served by their Connections.
Problems are possible in any of the zones, but we should consider mitigation possible in only two of them. Let’s say you’ve locked down your own devices and are using best practices. Let’s also say the server admin between you and the world is also locked down and behaving cautiously. What happens next? You connect with someone or something outside the control of either you or the admin.
One can affect or at least observe problems at the position of oneself or one’s own connection to others. The situation on the other side of the connection is anyone’s guess. So:
1. Maintain your own material and situation as best you can, using my “go to the PUB” advice (pay attention to Passwords, Updates and Backups).
2. Use whatever influence you have to assure the quality of your Connection, and attempt to give out as little information as possible through this connection to the other end of the communication.
3. Monitor the situation with the people and organizations with which you communicate, and regarding the information you’ve given to these organizations and which you therefore no longer control. For example, watch your credit card statement and get with that institution in case of bogus charges. Challenge inaccurate information about yourself.
... It looks like maintaining your stuff, giving out as little info as possible and monitoring the other end would be the only three courses of action capable of improving network security. At least relative to the user. In the larger world, it’s still the wild west and could become even more so. There are APT’s (state-sponsored bad actors), organized crime elements, software bugs, hardware bugs, poor decisions within software development projects, political protest hacks, social media abuse, natural disasters, program or code incompatibilities and more things that won’t fix themselves.
We’re on our own.
