There are a few movements afoot to help improve security, and the intentions are good. However, to my mind some are just more organized versions of what we already have too much of: pointing out what’s wrong, instead of rolling up your sleeves and fixing it.Wendy Nather
As I read her short article — please read it and come then come back — I nodded my head in agreement. The information security community is good at shaming. We’re good at pointing out where the problems are and offering advisory on what to do about them. We know the computers our kids use at school are unpatched and full of viruses1. We know the technology questions we get from the owner of the local wellness center is because she has no budget for an IT guy. But we do nothing.
Wendy suggested information security professionals needed to put up or shut up.
Now, if you would like to take actual steps to help make things more secure, here are some examples of what you could do:
* Adopt an organization near you. Put in hours of time to make the fixes for them, on their actual systems, that they don’t know how to do. Offer to read all their logs for them, on a daily basis, because they don’t have anyone who has the time or expertise for that.
* Fix or rewrite vulnerable software. Offer secure, validated components to replace insecure ones.
* Help an organization migrate off their vulnerable OSes and software.
* Do an inventory of an organization’s accounts — user, system, and privileged accounts — and lead the project to retire all unneeded accounts. Deal with the crabby sysadmins who don’t want to give up their rlogin scripts. Field the calls from unhappy users who don’t like the new strong password guidelines. Install and do the training and support on two-factor authentication.
* Invent a secure operating system. Better yet, go work for the maker of an existing OS and help make it more secure out of the box.
* Raise money for budget-less security teams to get that firewall you keep telling them they need. Find and hire a good analyst to run it and monitor it for them.
* Help your local school district move its websites off of WordPress.
* Host and run backups for organizations that don’t have any.
I read that blog post and I started to think that perhaps I needed to find out “how to help” instead of just offering advice. I thought about it for a while. I hesitated because my income is based on consulting. It’s partly based on advisory. Did I really want to give away my services for free?
I love the local business community in the Princeton and Montgomery Township area. I feel it has a “help each other succeed” vibe.
So to cut to the chase. Here’s what I’m offering my small businesses colleagues (I’m using the US Small Business Association definition of small business). I am offering my cyber-security expertise to help you secure your systems and applications. I will create an inventory of your systems and accounts. I will patch and upgrade your servers. I will configure them as securely as I can to enable your business. I will help you implement a backup solution against loss of data and service. I will put in the hours to review your system logs to find out if your systems were ever compromised. I’m here to help.
- My brother-in-law has been hit twice by “school work” viruses. ↩