Tuesday, July 3, 2012

"We are not a target"

Yes you are. Security professionals should be educating executives that make that mistaken assumption to understand how valuable their IT infrastructure is by itself, no matter what data is there. Brick and mortar criminals steal fast cars to use when robbing a bank, it’s the same thing for servers on the Internet, email accounts, FTP and web sites; they might not be valuable for the data they hold, but they are valuable tools to be used in attacks against others.

Even when you consider malware (such as Flame, Stuxnet), they still can cause you problems (downtime of IT the most common issue) even if you are not the original target, as most of them don’t include checks to confirm they are running on their targets only. Even silly stuff, like those created to steal World of Warcraft credentials, for example, will still affect your systems and can cause issues. Even if they are “benign” for you, it’s someone else’s (and someone not trustful at all) code running on your computers.

So, forget about “We’re not a target”. Even if you are not because of your data, you still are just because you are connected.