While we do need to approach security differently and follow the “five things to know” advice as mentioned in the article, I’d like to add also that we must be patient because achieving security is not easy, for the following reasons:
- Getting everyone to do the right thing is not easy. An example of this is BCP38 aka Source Address Validation Everywhere (SAVE), which has been around since the year 2000 but the adoption (or even the awareness on the topic) is still quite low. Paul Vixie discussed this at APNIC 38 last year – a short interview on SAVE is at the end of this post and worth watching. So we will continue promote RPKI, DNSSEC and initiatives like Routing Resilience Manifesto when we have the opportunity.
- Getting people or organizations to collaborate or share information is not easy. A lot of this has to do with trust and the limitations laws that restrict cross-border collaboration and information sharing. In fact, we hear this all the time in our engagements with law enforcement agencies (LEAs) and CERTs/CSIRTs – that the “bad guys” tend to share information more effectively than the good guys. We have to change this, of course.
- Getting everyone to understand security is not easy. Many of the advanced persistent threats (APT) use non-advanced techniques to get in (i.e. social engineering). People have different ideas about what a threat is, how attacks are carried out and how an organization can be more prepared. So, instead of doing just a lecture on ‘cyber security’ or ‘firewall 101’, we find exercises or role-play is more effective in creating awareness and highlighting it is not just an “IT thing”.
Just like everyone else, we understand there is no silver-bullet for making security better. At the same time, we are not ready to throw in the towel and will continue to do our bit by contributing to capacity building efforts and creating awareness.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.