Permission to Republish: This article may be republished in ezines, newsletters, and on web sites provided attribution is provided to the author, and it appears with the included copyright. Although advance permission is not required, please notify us at egibbs@myinvisusdirect.com when you use this article.
It used to be that, if you wanted to surf the Internet, you simply turned on your computer and logged-on to your browser. It was a safe and richly rewarded experience for communicating, educational, entertaining, researching, and shopping purposes. With companies like Yahoo.com and Hotmail.com/MSN.com offering free email accounts, soon everyone under the sun had at least one account. Some have been known to have four or five accounts. Some even had as many as ten different accounts.
As consumer use expanded online, it wasn’t long before the criminal elements found a easy way to make a quick buck with little or no risk of getting caught. Thus, a whole new industry was born. Hackers, the ones looking for a fast and easy buck and the ones looking to make a name for themselves by shutting down computers at major businesses or organizations, thereby creating havoc among all concerned, came into existence. Through their hacking, spamming, phishing, pharming, and keylogging activities, they stole identities, personal and financial information, and simply created an overwhelming annoyance.
The hackers via their devious conduct spawn a new industry: the anti-virus software industry. Thus was born a wealth of major and minor players selling off-the-shelf software to combat the virus attacks, software to combat the spyware, combined software to combat both, and more. Internet service providers soon jumped on the bandwagon and offered their version or a partnered version of the anti- software. In the meanwhile, the hackers always seemed to be two steps ahead – ahead of the industry and ahead of the law enforcement authorities.
Enter a new concept:
It is no longer sufficient protection for the consumer, business, or agency to purchase off-the-shelf software packages. Although they are excellent products at what they do, there still remains a void where the hackers are prevailing.
If I may use a fishing analogy:
It is no longer safe or productive to go after them with one, two, or more fishing lines that are baited to catch the target or targets they are created to catch. What is needed is more productive approach, a multi-purpose fishing net approach in order to:
- catch the dangers,
- prevent future attacks,
- alert when new threats are in existence,
- be mended and updated daily,
- become invisible to the preying eyes of the barracudas, and
- have a team of extremely well trained and proficient net menders.
This fishing net approach is just coming to light for the past 2-3 years. Known as a comprehensive, or managed security services, it is presented to the consumer as a subscription service, similar to subscriptions he would purchase for his Internet access, his telephone, his cable TV, or his daily or weekly newspaper.
According to the CERT® Program, part of the Software Engineering Institute (SEI), a federally funded research and development center (FFRDC) sponsored by the U.S. Department of Defense and operated by Carnegie Mellon University, “Organizations must practice strong computer security. CERT is also continuously researching various aspects of computer security that can benefit organizations.”
The primary goals of the CERT program are to ensure that appropriate technology and systems management practices are used to resist attacks on networked systems and to limit damage and ensure continuity of critical services in spite of attacks, accidents, or failures.
The SEI advances software engineering and related disciplines to ensure the development and operation of systems with predictable and improved cost, schedule, and quality. CERT, the home of the well-known CERT Coordination Center, studies security vulnerabilities, research long-term changes in networked systems, and develop information and training to help their clients improve security.
When designing malicious code, attackers often take advantage of vulnerabilities in software. In 2006 alone, the CERT Coordination Center received more than 8,000 reports of vulnerabilities. But many of these vulnerabilities are a result of software defects that could easily have been avoided. Through secure coding initiative, CERT is identifying common programming errors and developing secure coding standards to reduce the number of vulnerabilities introduced into software.
The field of survivable systems engineering explores the current state of systems to identify problems and propose engineering solutions. The work described below focuses on the development lifecycles for both new development and COTS-based systems. It includes analysis of how susceptible these systems are to sophisticated attacks and suggestions for improving the design of systems based on this analysis.
Note: To download a copy of their pdf-format, 64-page copy of the CERT Research Annual Report, click here.
The Annual Report describes current CERT Research projects in terms of problems addressed, research approaches, expected benefits, accomplishments, and plans. Each project is also summarized and links within project summaries lead to longer project descriptions.)
Remember: When you say "No!" to hackers and spyware, everyone wins! When you don't, we all lose!
© MMVIII, Etienne A. Gibbs, MSW, Internet Safety Advocate and Educator, and www.SayNotoHackersandSpyware.com
Comments(6)