Until the year 1955, polio was a scary fact of life in the United States. Polio is a disease that is easily transmitted by human to human contact, and can have lifelong debilitating results. Along came Jonas Salk’s wonderful vaccine and the next generation didn’t need to worry about polio anymore. All we needed to do was get a shot. But did you know that there is a section of population that cannot get vaccinated? People who are on chemotherapy or drugs that affect the immune system are unable to get the vaccination. Those people, the unprotected, are relying on the rest of us to be their protection. If the rest of us have had our polio vaccination, the disease isn’t hanging around waiting to get them. Our vaccination protects those who can’t protect themselves.
In the same way, by defending our information systems we create a more secure world for those around us. Leaving our systems vulnerable to attackers not only allows the attackers access to our systems where they can access, modify and destroy our data, but it gives the attackers a jumping off point to stage attacks against our virtual neighbors. Because our systems were weak, theirs may be at risk.
One of the most obvious example of the symbiotic nature of our information systems is email servers. In general we trust the sending email servers that have been trustworthy in the past. So if MaAndPa.com’s email domain has always been legitimate in the past, our email servers assume that messages coming from that server are still legitimate.
If a hacker discovers open relay access to MaAndPa.com and begins sending out malicious emails with phishing or malware embedded, our email servers may not immediately flag those messages as bad. Those messages may find their way into the inboxes of our employees with a potential data breach as the result.
If Ma And Pa’s web server is compromised and taken over by a hacker, that server can become an anonymous base of operations for attacks against any system around the world. By not properly defending their own servers, Ma And Pa have provided the hacker with the means to perform more attacks against their virtual neighbors.
Allowing that kind of anonymous attack will embolden hackers. When they know there is no accountability for their actions they will try more serious and damaging attacks. Knowing they may be caught is a deterrent which can discourage illicit activity.
Consider the untargeted computer virus. The best known type of computer virus is the type that automatically spreads to any system it can get its hands on, infects that system and then looks for more victims. This virus is well named, as it bears striking resemblance to human viruses. It requires two things: A vulnerable host system to infect, and interconnectivity with other potentially vulnerable systems. By installing anti-virus on all our systems we are reducing both of the number of infected systems AND the number of systems actively searching for more victims.
The protection of the internet community is not easy to quantify for a cost-benefit analysis, and most companies are going to spend significantly more time weighing the potential effects to their own systems. But being a way-point in an attack can have a significant reputational impact, and that should be considered when an organization decides whether or not to implement certain countermeasures.
Protecting the systems of our neighbors is not the primary reason for enterprise information security systems. But it should be a piece that is considered. And in this era of inter-connectivity and ecommerce it should be expected of every company with an online presence.
55 years ago we took a huge step by inoculating against polio. As a result, polio is almost unheard of in the US. Similarly, today we can work to stamp out many types of security threats simply by achieving a high degree of adherence to general security guidelines. If we each do our civic duty, maybe can see the end of untargeted viruses in the next few years.
Connect with Robb on Google+