Brown Hat Security - Attack Surfaces

To secure a building, you need to lock and alarm windows and doors, and restrict the capability of people to enter and exist to a known, monitored entrance. Information systems require the same kind of care and attention, though they frequently do not receive it.

Many home and business systems are, effectively, outhouses standing in a field; there is little protection against anyone who seeks entrance, and the doors are largely unmonitored; it's only if the inhabitants of the outhouses happen to notice that living conditions have gotten more crowded of late (or if someone comes in and kicks over the table and shouts at them about a stickup) that anyone takes notice that something is amiss.

Worse, the 'distance' between the outhouses is measured in milliseconds rather than miles; the inhabitants of most of them don't realize that they can reach out and touch almost anybody with only a minimum of effort.

Effectively, everybody lives on the "front lines" of an ongoing conflict: the difference between a high-value military target and your home computer is a couple of digits in an IP address, and any reasonably competent attacker can knock on hundreds of doors in a second.

An attacker who knows what they're looking for can, with freely available tools and a few dollars' investment in the infrastructure to take advantage of them, look for a given vulnerability across the whole of the internet within a couple of hours.

If you have an internet connection, then you are subject to the same level of scrutiny as any high value corporation or military target by anyone who has the curiosity or mission to scrutinize you as such. You do not have the luxury of thinking that you have nothing worth being interested in - if nothing else, you are suitable for parting out by criminals or can be held for ransom for as much as someone cares to take you for.

Just like the big corps and governments, then, you have to fortify yourself against the attackers - you have to lock and alarm your doors and windows, and put a guard at the front door. If you know how to build walls, set up guarded tunnels, and hire watchmen yourself, that's all to the good. If you do not have that capability yourself, negotiate with someone trustworthy who does.

This is why a niche exists within the overall discipline of Information Security that, while not particularly interesting, is nonetheless highly necessary in a highly connected world. Much as there are doctors specializing in family practice, lawyers who specialize in family law, and accountants that handle the family books, there is an absolute need for family practice information security, to give at least a semblence of security to the otherwise vulnerable shacks scattered in the open fields.