I just finished reading a book last weekend called: 'Fatal System Error', by Joseph Menn. He's a journalist who covers cyber security for the Financial Times after a decade on the same beat at the Los Angeles Times. The tag-line of the book is: 'The hunt for the new crime lords who are bringing down the Internet'. Definitely interesting reading, and these few highlights from the book are eye-opening indeed...

The book goes into the M.O. of the gangs in Eastern Europe and also the fact that those governments are not really interested in  doing something about it. On the contrary, they are now and then -using- these gangs for DDOS attacks, e.g. Georgia recently. Three interesting points he made in the book were:

1) More education is required. People who won't let their lawns go uncut out of respect for the neighbors need to realize that turning on a PC without a strong firewall and without an OS and antivirus that each update automatically is like leaving a loaded shotgun on the front porch for passersby. It almost guarantees their computers will be compromised and used for nefarious activities.

2) One expert mentions: "It's incredibly disturbing, the engine of the world economy is based on this really cool experiment that is not designed for security, it's designed for fault-tolerance. You can reduce your risks, but the naughty truth is that the Net is just not a secure place for business or society".

3) And then the thing that really got my interest, Vincent Cerf, who was the co-author of the core Internet protocols, said: "My thought at the time, thirty-five years ago, was not to build an ultra-secure system, because I could not tell if even the basic ideas would work." And here comes the kicker: "We never got to do the production engineering". With that he means the version ready for prime time. So there you have it; Internet Protocol is really still in Beta. And most experts agree it's broken. You -really- need to take all measures necessary to make sure your organization is safe on the Internet.

Cybercriminals have found a new, rich hunting ground: small businesses' bank accounts. The average monetary loss for a cybercrime attack is $395,000, CS0 Magazine reported. (link below). The Wall Street Journal on Feb 8, 2010 had a major story on this. There was a side-bar that showed some interesting numbers about the causes of security breaches at small and midsize companies:

- System breakdown/hardware failure:    47%

- Lost/stolen laptop, SmartPhone or PDA:    44%

- Human error:    39%

- Loss/Theft of backup tapes or devices with sensitive data:    35%

- Improper / out-of-date security:    32%

- Natural/on-site disaster:    26%

- Employee sabotage:    25%

- Improper security procedures or education:    19%

- Unsure:    4%

Ronald Regan said “Trust but Verify”. Firewall, AntiVirus, Regular System Maintenance, Common Sense, and Vigilance are required to to keep your business networks safe whilst exposed to the internet. 

CSO and Deloitte have published some recent figures. Check it out at:

http://mkting.csoonline.com/pdf/2010_CyberSecurityWatch.pdf