One of the large internet service providers has a new commercial advertising its broadband product which now comes with “FREE SECURITY.” Finally, an end to our concerns about computer security and identity theft! The product includes a firewall, anti-virus, anti-spam, and pop-up blocker but most importantly, peace of mind. Keeping information private on the internet is no longer something to concern yourself with, or at least that is the idea they are trying to sell.
Apparently, ISP’s have completely given up on educating users. While teaching people how to use their computer safely does seem like an impossible task I believe selling this idea of ’security in a box’ actually does more harm than good. Although, I hate the idea of spreading fear, a little dose of paranoia would at least keep everyone mindful of what information they distribute.
Most of us would agree with the idea that security is not a product its a state of mind, a journey rather than a destination. Promoting security as an end product relieves users of any sense of responsibility towards their information. With security taken care of, the user is free to download anything from anywhere and forget about all those pop-up windows complaining about software security updates that need to be installed. It is unfortunate but many IT managers buy into this mindset as well, looking for the next great network appliance that will solve all their problems.
Its easy to get caught up in all the technical details and forget the real issue - the people using the network resources. As future security professionals I believe part of our responsibility is to educate users on how to securely navigate the information age, whether its our family and friends or even our employers. As long as there are careless users who don’t understand how to protect themselves online, exploiting technology will continue to become more and more profitable.
What would happen if everyone online practiced secure computing? Would viruses and botnets be a thing of the past? Would Identity theft disappear? Would the need for security professionals diminish?
Loading ...
To answer the first half of your post, I believe selling a product or a buzzword is a lot better marketing than selling education. “We will make you secure. Period. We take cash, check or money order” works a lot better than “We will teach you proper practices and help you make better decisions”. People don’t want to follow practices or be taught proper maintenance, similarly to how they don’t care to how their car works or how to keep it working since they can always get it fixed.
We, as hacke^H^H^H^H^Hsecurity professionals will always be in need just as jails and prisons will always have occupants since “if everyone just stopped committing crimes” is not reasonable. No matter how secure the kernel, or how tested software is, there will always be vulnerabilities between the display and the chair. Not to mention companies love throwing their money at security-related contractors as that is just good PR.
I don’t know if everyone agrees, but I think that part of our job as security engineers is to build products that don’t easily fall into an insecure state. People shouldn’t have to think about “using a computer securely” and I think this entire argument isn’t placing the blame where it lies…
I think as long as people are willing to pay big money for buggy software, there will continue to be poor software produced. I really hope that the next generation of security engineers can have a positive influence on the current state of software development but until security incidents begin to translate to money lost by the developer, I fear deadlines will win top priority over a quality product.
I think I lean towards the direction Dan alluded to. More responsibility should be placed on developers. I think the best way to achieve a software product with a high level of security is via the concurrence of development and penetration testing. The people who build the system should do their best to try to break the system, fixing all vulnerabilities found before the product is shipped. I think this should happen at ALL stages of the life cycle. There are several clear benefits to this approach:
1. It allows us to make all kinds of Taoist statements about creation and destruction occurring simultaneously, and we all know how much security professionals love Yin Yang symbols.
2. Nobody has more knowledge of the system than its builders, therefore they will be able to deduce the highest number of attack vectors and expose the most vulnerabilities.
3. After time, secure coding practices will be habituated by developers, because they know if something is weak they will HAVE TO fix it.
4. Less Patches.
5. More Secure Patches.
But the question is, how do you enforce this kind of self discipline?
Also a thought on Yan’s statement: “they don’t care to how their car works or how to keep it working since they can always get it fixed.” The difference is, people need a license to use a car or other types of potentially harmful technologies. If people knew 25 years ago what they know now, would we all be carrying PC licenses?