Cyber Eye: Educated users are still the best defense
Security exploits are coming faster and smarter, according to the most recent Internet threat report from Symantec Corp.
The time frame keeps narrowing for systems administrators to patch vulnerabilities, which is hardly news to anyone charged with IT security, such as David Jordan, chief information security officer for Arlington County, Va.
'Things are not getting any better out there,' Jordan said.
But one of the most effective tools for improving security is affordable and readily available.
'Education is still the best weapon we've got,' Jordan said, 'and it's cheap.'
Malicious code has gotten more dangerous this year, said Tony Vincent, lead global security architect for Symantec of Cupertino, Calif. January's MyDoom worm spread with amazing speed, installing back doors in infected computers. Other worms began exploiting the back doors almost immediately.
Security problems in federal IT systems have been well documented by the General Accounting Office and the Office of Management and Budget, but state and local systems are at least as troubled, Jordan said. Few jurisdictions have chief security officers, and most security spending goes toward physical protection.
'There is a mindset on guns and fire hoses,' he said. 'In the 21st century, it takes more than guns and hoses to protect a community.'
Jordan said Arlington County began focusing on cybersecurity about three years ago. Because the county is home to the Pentagon, Reagan Washington National Airport and numerous intelligence facilities, it is a vital part of the national security fabric.
'We don't have the luxury of denial,' he said. 'We went out and hired a CIO and staff when private-sector jobs were thin and talent was rich.'
As CISO, Jordan has found that improving security does not necessarily mean big projects. 'If you follow basic, fundamental practices, you can secure your networks,' he said.
Those practices include safely configuring and promptly patching systems plus using commercial programs' built-in tools to block dangerous code. But the most important aspect is making sure employees know how to use their systems safely.
Governments 'have to spend time educating their employees,' Jordan said. 'The information security officer's first job is to be a marketer.'
That job includes selling senior management and elected officials on the business case for cybersecurity, to free up funding.
But education also is needed for the rank and file. Jordan said he conducts security orientation sessions with new employees every two weeks.
The end user is the final line of cyberdefense. An educated user who knows what to do in a crisis can be more effective than thousands of dollars' worth of software, he said.