Don't Get Security Sucker-Punched

 
 
Jim Rapoza, Chief Technology Analyst, eWEEK.For nearly fifteen years, Jim Rapoza has evaluated products and technologies in almost every technology category for eWEEK. Mr Rapoza's current technology focus is on all categories of emerging information technology though he continues to focus on core technology areas that include: content management systems, portal applications, Web publishing tools and security. Mr. Rapoza has coordinated several evaluations at enterprise organizations, including USA Today and The Prudential, to measure the capability of products and services under real-world conditions and against real-world criteria. Jim Rapoza's award-winning weekly column, Tech Directions, delves into all areas of technologies and the challenges of managing and deploying technology today.
By Jim Rapoza  |  Posted 2009-04-01 Email Print this article Print
 
 
 
 
 
 
 

Jim RapozaIs the devil you know—and expect—better than the one you don't?

Consider this: You run into person No. 1—let's call her Melissa—on the street. Without warning, Melissa hits you in the face and then proceeds to beat you up as you lie on the ground.

Then, person No. 2, Michelangelo, walks up to you and calmly states that in two weeks time, at exactly 2 p.m., he will beat you up. Then he walks away.

Now, while neither is a pleasant scenario, I have a feeling that the majority of people would rather run into Michelangelo than Melissa.

While there is definitely fear and trepidation about the impending date Michelangelo gives you, at least you can do something about it. You could make sure that a couple of big friends are with you at the appointed time, or take martial arts training, or notify the authorities, or just get out of town. At least you can prepare in some way. With Melissa, you are down on the pavement getting beaten up before you even know what hit you (literally).

Likewise, it's easier to deal with a computer virus or worm that purports to hit on a certain day rather than one that just hits. The latter is the one you really need to worry about.

But, strangely enough, people take the opposite attitude with these viruses. Try to tell someone about a dangerous new virus, and you're likely to get little interest. You'll get responses like, "Yep, I hear those viruses are nasty. That reminds me, I need to patch my system and update my anti-virus—maybe I can get around to that next week."

However, if you say that the same virus will hit on a specific date—say, April 1—people get a lot more interested. "Wow, it's like a time bomb! What do I have to do to protect my system right away?!"

To a large degree, this phenomenon is driven by those of us in the media. Tell a reporter, especially a general media reporter, about a dangerous new virus, and he or she will see it as just another in a long line of viruses. But tell the reporter that the virus will do something dastardly on a specific date, and suddenly the reporter is much more interested in telling the story.

Personally, I tend to be of two opinions on this.

As someone who has been writing about security for a long time and who is often frustrated that people and businesses don't take computer security seriously, I welcome anything that gets people to sit up and pay attention to security.

But I also get frustrated that the people who pay attention to these time bomb viruses spend most of their time being blase about security or actively ignore basic security practices that would protect them from just about anything.

Oh well, if you can't beat them, join them. Maybe we in the security community should embrace this time bomb obsession and regularly report that there are viruses and worms that will take effect on a specific date.

I can see it now. People, I must warn you—there's a dangerous virus out there. [Snore.] It will steal data from your computer and compromise your identity. [Whatever.] Ummm, it will also find every embarrassing picture and e-mail on your system and send them to your parents. [Uh oh!] And it will look at your iTunes list and tell all your cool friends that your favorite artist is Engelbert Humperdinck. [Oh no!] And it will take effect on Mother's Day! [Ahhhh! Call IT—we need to protect my system!]

OK, if I did this I would be fudging the truth a bit. But it might get people to pay attention to security. And that's definitely better than an unexpected punch in the face.

 
 
 
 
del.icio.us | digg.com
 
 
 
 
 
 

Submit a Comment

Loading Comments...

 
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Rocket Fuel