Recently I had to empty my home office of old magazines and books to get new carpet installed. I found security conference proceedings dating back to 1989 and decade-old IT magazine security articles. As I paged through I realized that most of what I read could be written today.
Sure, the buzzwords have changed. But you only need to replace references, like, "Morris Worm" with "Blaster", "public key" with "elliptical cryptography" and "Chernobyl" with "Mydoom," to recycle the stories. Even articles such as "Getting management's attention" and "Improving user awareness" could be reused word-for-word.
The only thing that's changed is there are more malware stories today. I recently spoke on e-mail security and focused my presentation on how Internet-based attacks have remained consistent over time.
Clearly, attacks have evolved to take advantage of new technologies. For example, computer viruses were originally spread through floppy disks; then, they spread via Web sites and newsgroups. And, with the growth of file attachments, viruses spread through e-mail. Today's viruses find instant messaging file transmissions a rampant spawning ground.
The computer community is shocked when a (supposedly) new attack is discovered. When in fact, it's just another version of a different attack. New attacks are extremely rare; most threats are a different buffer overflow, a new adaptation of phishing, or another exploitation of poor passwords or computer settings. It shocks me that some companies were hit by Code Red, and then by Nimda only months later.
People ignore recent events, and sometimes overlook history. What's more numbing is that some security professionals don't even know the history. As a director for a local ISSA chapter, I was privy to a study that said that 70% of ISSA members have been in the security profession less than three years -- which exposes some unique issues.
While today's attacks come more frequently, and with less warning, there's no magic to computer security. Good security programs involve proactive and steady countermeasures. Security programs that acknowledge history by implementing security basics, including good configuration baselines and updated patch management and antivirus software, are most effective.
Network security professionals often relish in "the good, old days," and those with 10 years or more have valuable experience to share, which could be developed into reading lists or even articles about lessons learned. If you're new to the profession and want to improve your skill set, take a break from reading about the latest technologies and dig in to some outdated, but relevant security books and articles.
About the author:
Ira Winkler, CISSP, CISM has almost 20 years of experience in the intelligence and security fields, and has consulted to many of the largest corporations in the world. He is also author of the book, Spies Among Us.
This was first published in September 2004