In the past decade the internet has surpassed all expectations and changed the lives of us all. The World Wide Web holds little or no safety for the end user. Very much like the Wild West in the 1800s, the opportunities and possibilities are endless; however, so are the dangers. Everyone has to watch his/her back because of the unscrupulous gangs of identity thieves and scammers that are just waiting for you to walk into a trap. Online self-defense is a necessity.
There is an arms race going on between the dark and white forces; a Sisyphus work of building defenses which are in turn being defeated in a seemingly endless cycle. How can we ever break out of this cycle to finally feel and be safe?
Trust, together with encryption, is the keys to this goal. While most of the internet traffic is unencrypted and untrusted in origin, it is vulnerable to attacks. Obviously encryption by itself is not the silver bullet; it has to be done right, together with trust management and without exceptions.
This can’t be done overnight. Wherever possible, encryption should be used with proper key management. This would close many holes in the system, no longer exposing end user data to the attackers. The end user needs to be educated and forced to use the more secure – encrypted storage and protocols whether it’s HTTPS, SFTP, DNSsec or IPsec. Also email encryption and digital signing has been available for decades, but is rarely used by the general public.
It’s up to us, the IT pros, to set the standards, to configure secure defaults on our systems and in our products. We have to insist on using the most secure options, no compromises.
Many of us use VPNs which are de-facto encrypted by default, but many other services are not! We need to fix this. The best start would be:
- use encrypted storage, internal and external
- use IPsec on your intranet
- force HTTPS/SFTP on your website/webmail
- force SMTPS/IMAPS/POPS on your email server
- introduce email signing/encrypting
- enforce proper key management
More advanced securing can be achieved by employing DNSsec and NTP over SSL. Also a good idea is to pass proprietary/custom/3rd party protocols via SSL/TLS/IPsec tunnels.
When the majority of IT pros start following these basic rules, the situation will improve. It’s going to take time, but I am optimistic that we will get there.