Friday, February 1, 2008

My security outlook

As a n00b in the security world, I have still to prove myself as a true security professional. Until then, and perhaps building up to that, I'm going to go ahead and post my thoughts and hope that the day comes when people point at this blog and say "He said it there months/years ago!". Here's hoping!

There are many facets to information security, as we all know, and no one blog post can touch on them all. I want to touch on the consumer side of things in the area of malware and online identity protection. As much as security experts focus on malware scanning and detection, you'd think we could be in a safer state on the Internet. We aren't, and I think I know why. If you arrest a meth addict and throw him/her in jail, what have you accomplished? Virtually nothing. The addict will be in jail for a while, able to obtain meth in jail, and will emerge still addicted. Even if they can't obtain drugs while in jail, they will still emerge addicted or go back to the same group of friends and get back into it. With malware we see the same trend. If a computer user spends his time browsing a particular kind of site, he gets infected. Maybe he cleans his computer, but he continues to visit the same sites, and will continue to become infected. So by identifying a malware on your computer and cleaning it, you've managed to arrest the meth addict, accomplishing very little.

Drug addicts have a better chance of going clean if they change their surroundings and who they talk with. If they stop hanging around the same friends that use, they aren't tempted to use again (as much, anyway). Also, if the drugs are harder to come by, that helps. That's why many attorney generals are focusing on finding the drug labs/sources. Finding the labs/sources of malware, is significantly more difficult, but not impossible. Changing the environment is another story.

My point is, to boil things down, that we have malware detection (telltale signs of the meth addict), and we have people searching for the labs/authors (attorney generals initiatives), but we have done almost nothing to change the environment that general users are operating in. Sure we release security patches for software, and come out with new versions of operating systems, but how many actual users have patched systems, or upgrade to the new operating systems? Pathetically few. That's because we haven't brought security to the masses. It's time to educate the users. Fewer vulnerable computers on the net mean fewer places for malware to spread to. This means smaller botnets, and fewer losses of personal info. Any AUP author can tell you the key to enforcing it is educating the users. Now we need a public AUP or as I like to call it, SUP (Suggested Use policy, or Smart User's Policy, Smart Use Policy, Stupid User's Policy, Safe Use Policy- it's that versatile of an acronym) :) I understand that we can't reach everyone, and that some people just won't listen, but if we can teach people to drive a car, we can teach them to drive a computer.

So how do we do it? Well, I call upon ISP's to start educating their users- less malware traffic on the ISP's network means less bandwidth wasted so there is monetary incentive for it. I also call upon security people with an affinity for words to write "For Dummies" books, or other info security books written in straight English/German/etc (i.e. not in geek language). I also call upon security professionals to write blogs that educate general users. And lastly, if you advertise security, provide it! (Hint hint ScanAlert, Microsoft, Apple).

No comments: