Why IT security is not optional

Whether it is patching that outdated mail server, looking for security issues in outdated code or preparing for a security audit. Most often companies procrastinate on those tasks. It is not on their priority list. That can be dangerous.

The world is full of different people and everyone has their personal strenghts and weaknesses. To narrow it down we assume we can categorize people by two traits.

  1. Technical Knowledge (good/bad)
  2. Intentions (good/bad)

That makes 4 different combinations.

  1. Bad Intentions and Technical Knowledge
  2. Good Intentions and Technical Knowledge
  3. Bad Intentions and Bad Technical Knowledge
  4. Good Intentions and Bad Technical Knowledge

Let’s give them some names. We call 1. a Cracker, 2. a Hacker, 3. a Scriptkiddie and 4. A Non Techie.

The following scenario is very common: A Non Techie uses some tutorial to set up his own Wordpress server for his webpage. If something does not work as expected he will ask Google and probably find some fixes like chmod 777, iptables -P INPUT ALLOW or setenforce 0. He will use that commands without thinking what they actually do. As soon as his webpage is live he does not think about that server anymore. Very soon some scriptkiddies will pay him a visit. No not on his website but they will take over his entire server and use it for DDoS attacks or to send out spam.

Then there is another group of people called Hackers who have a broad knowledge about IT in general including security. Some of them may have their own business that builds and hosts web applications for the payment industry, healthcare or aviation industry. But as we all know: “Setup is cheap, maintenance is expensive”. If maintenance tasks are not fully automated there will always be something that seems to be more important. Murphy tells us that eventually those servers will have the same fate as the Wordpress servers. But it will not be the script kiddies that break in. It will be attackers who know what they are doing and why they are doing it (Crackers).

What makes this even worse is that applications often run within containers nowadays. If that system is not secured properly there are ways to break out of the container. In that way an attacker may take over a complete system with highly sensitive data. The results can be catastrophic.

IT security can never be optional.