We’ve Won the Battle — Users Make It Impossible to Win the War
As a security professional, you realize that security is a process, it’s a state of mind, and it’s a continuous technological game of cat and mouse against the bad guys. In many ways, the situation is no different than that we encounter in medicine. There is a constant race between pharmaceutical companies and bacteria and viruses. Each time a new antibiotic or antiviral agent is developed, the bacteria or virus is able to defeat it by mutating to a strain that is resistant to the antibiotic or antiviral agent. The pharmaceutical companies then need to come up with a new drug to combat the mutated strains. This has been going on since penicillin was discovered and will continue until the end of time.
However, we have reached at least a dynamic balance, and for the most part, the battle against infection has been won. Sure, you read about high profile cases of Methicillin resistant Staph Aureus (MRSA), but the actual number of cases are infinitesimal. HIV is a bigger problem, but I believe that we’ll win that battle too. However, we’ll likely never win the war.
I believe that we have the same situation in the computer security scene. We have a wide variety of technologies that can be deployed at every level that can help us defeat the bad guys. The bad guys come up with a new worm or virus or trojan, our technologies are updated to defeat it. We’re in a state similar to that in medicine now, where we have a dynamic balance indicating that we’ve won the battle against the bad guys. However, in the same way that we’ve won the battle against infection, we’ll likely never win the war.
Why? Users. Look at the HIV situation. It’s really easy to not get HIV if you adjust your behavior (let’s exclude the unusual cases, such as blood transfusion). It’s really not to get a virus, trojan, bot, or not to lose information due to a phishing or other social engineer scheme — just change the user’s behavior.
Users still click on links from untrusted individuals, they still go to Web sites that they should not go to, they still download programs and applications from untrusted sources, they still enter personally identifiable information on phishing sites, and they still open email attachments. They still do all the things they were doing ten years ago, and they’re even doing it in greater numbers and more often.
If you look at the major security incidents in the last three years, you’ll see something interesting. The incidents didn’t take place because there weren’t enough firewalls in place, they didn’t take place because there wasn’t enough AV or AM software installed, they didn’t take place because of lack of perimeterization, and they didn’t take place because of a lack of an SSL VPN.
They almost all took place because the user did something unwise from a security point of view.
We will never get close to winning the war if we don’t require that users meet minimum knowledge requirements for using a networked computer. In the past there were discussions of an “Internet Drivers License” and at the time I thought the idea was ridiculous. It just goes to show that I’m wrong more often than right, because the Internet Drivers License concept is probably the only thing that will get us close to winning the war against bad guys.
I therefore propose that no user should be allowed to work on a networked computer without passing a test and requalifying ever year. The test would show that the user can tell the difference between a real email message and a scam message, that the user can tell what a safe Web site is from an unsafe site, that the user doesn’t open email attachments from untrusted users, and can tell whether or not an attachment from trusted users is safe, and that the user is able to recognize a number of social engineering exploits.
This solution won’t be a panacea, but it will be a major step in the right direction. Will it ever happen? I think so. Governments from all over the world are increasingly insinuating themselves in the personal lives of their citizens, and a national security argument can definitely be made for this type of requirement.
What do you think?
HTH,
Tom
Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)
Martha Bagwell Says:
May 27th, 2008 at 1:14 pm
I am in absolute total agreement. It probably would stop the people from using bad behavior altogether, but I think it certainly slow it down.
Chuck W. Says:
May 27th, 2008 at 1:54 pm
The problem is, “You can’t fix stupid.”
Buck Says:
May 27th, 2008 at 3:33 pm
So, are you trying to tell me that hackers, won’t be able to pass the test for a license.
HaHaHa! “PLEASE”!
But, poor old grandpa wont be able to, so no more pictures of the grandkids from his son 3000 miles away!
Oh, by the way, is this going to cost anything? And if it does, who collects the cash?
What are you going to do about the law breakers, who go online without a license?
Kick there doors in and take there computers.
Maybe if you write the law properly, the Homeland Secuity could inforce it!
Yeh, thats it! These damn users are just screwing up the internet for the rest of us, who know how to use it properly!
You go, Dr. Tom!
Comrade Buck
bill Says:
May 27th, 2008 at 4:04 pm
Be carefull of what you wish for. Without idiots, who would support all of the techno-spam churned out by those who make a good living writing these articles?
I once believed as you do, give them a literacy test before opening the door. However, I realized the internet would be a boring place indeed, without the silly, the crazy, the foolish and all the problems they bring to bear.
After all, the internet is the only place where you can witness evolution at electronic speed. Wade in and enjoy it.
Dee Jsaan Says:
May 27th, 2008 at 8:14 pm
I first proposed the idea of a “information super highway drivers license” in 1998. I lurked with many other webmasters from around the world in a Yahoo Club called “The Webmasters Cafe” in those golden times. That idea along with a “juviniles only” internet were rather earth shaking to many of my colleaagues then. I defended my ideas by suggesting that if you build a colossal forum and allow anyone and everyone on it that you’re crusing for a disaster. Most agreed then that they wouldn’t do the same in the “bricks and mortor” world on a dare.
What I was seeing then was a place most adults had no clue about and the kids had learned
about in school. Kids realized the advantage they had and any 8 or 9 year old could surf the net with the same impunity as a legal adult. They could spoof their age to view porn or gain access to chatrooms to hook up for phone sex with others presumably their age.
To me it was clear that the momentium of the seventies CB Radio phenomonon was alive with
the new internet “voice chat”. Web Cams were beginning to arrive and a cottage industry of under age “web cam girls” who would “model” for contributions to their “wish list” on the early emerging eCommerce sites which offered blind shipping service. So bigger better web cams, digital cameras, and color ink printers put alot of girls and their circle of friends in business with the “net-Perv’s” who would purchase their photos.
Message boards with primarily sexually oriented topics became popular in this time and any 13 year old kid could join a forum which should have been for 18+. It was like all the laws had been thrown to the wind in a way sixties hippies could have only dreamed of. Drugs, who needed them. Everyone was willing to participate in this sober. For females it was a shot at a world full of men, and for the males it could be a mix of girls and technology. Specifically hacker technology. Many more seasoned code writers could write viruses and post them for “scrip kiddies” to copy paste all over the net. And this was at the zenith of the DotCom bubble.
Today much of the hope and promise of the Windows 98se and the DotCom times is resurfacing in the Web 2.0 movement. It would be a good time to make sure we don’t have the people on board who made a train wreck of the DotCom days. Had there been a Net Drivers License in those times it may have stopped the “social engineering” that those like
Kevin Mitnick blazed the trail for in our net history. Such a drivers license may also facilitate
the collection of taxes by the states who are presently trying to collect them from net sales.
Then again, in the old days drivers of T models on dirt roads didn’t have to have drivers license. But that was then and this is now. I agree with Dr Shinder, the “wild wild west days” of the internet are drawing to a close. In time only the qualified and accountable will
get to operate from network computers from work. I would imagine the license rather like the 5 CDL ratings the drivers of big rigs use. From the simplest entertainment/surfer/ to the ablest Power Users who hold certification in their OS, Ap’s, and may be A+ and network certified.
Just my thoughts.
howiem Says:
May 27th, 2008 at 10:24 pm
Licenses will not stop people from getting tricked, being careless, gullible or greedy. And what happens when someone with a license fouls up? Hard time? or will they have to wear a helmet with “I’m a BSOD” on it? Please…no more goverment bureaucracies. I thought the only people who advocate more government were those who love to scream about big brother or the socialists who think they know how to run the world. On the other hand this could be a great opportunity for the private sector to set up certification schools, but who will oversee the overseers? Who will be considered qualified to teach…whoops…back to government bureaucracy. And as soon as you implement legal requirements, here come the lawyers to drive up the costs. And of course, we will have to have enforcers, and when you enforce the law, guess who gets to do it….NOT the private sector. Between informal education, trial and error, and better security through technology improvements, people will be better protected. Rushing things by statute is not the way to go, unless you can positively say what the results will eventually be, and no once can say that for certain. The problems will never go away, but they will be reduced, something a piece of digital paper saying “certified” will never accomplish.
Jim Staudt Says:
May 28th, 2008 at 7:34 am
This is the most ridiculous thing I’ve ever heard in my life, and at age 66 I’ve been around longer than dirt. Just another example of power-mad liberals trying to control every aspect of people’s lives. They say life imitates art, and this is evidence of that… Orwell must be spinning in his grave these days.
As for a “license” to drive the internet, it’s similar to requiring citizens to register guns — only people who abide by the law do so. As long as there is an internet, there will be people who abuse it — and they’re smarter than you are, Shinder… get over it.
It’s just sad that there are so many people who think there is a “nanny solution” to every problem.
SMD Says:
May 28th, 2008 at 7:32 pm
I teach computerese - let me tell you, an internet driver’s license requirement would negate use of such by over 50%! Even ’sales’ people talk in terms of ‘250 gig of memory for storage’. When I overhear such I have to walk away to laugh. I agree with Chuck W. - you can’t fix stupid.
CompTech Says:
May 29th, 2008 at 8:07 am
Oh, farglesnot. Are you REALLY suggesting that we need MORE government and MORE rules in order to protect us from ourselves? The simple truth is, most every one of us learned to ride a tricycle before graduating to a bicycle — and no license or test was required to do either. Nobody is required to take a test before purchasing a product advertised via second class snail mail. Perhaps we should insist on this new government program, too?
Barc Says:
May 29th, 2008 at 1:18 pm
Although Dr. Shinder *mentions* government at the end of the article, his actual proposal is for *networked* computers; i. e., those at a place of employment, by and large.
Smiling Carcass Says:
May 29th, 2008 at 5:00 pm
I’m not sure what the solution is. Whatever happens, inertia and no action, passing of laws to force a competence test there will be those applauding and those booing- and probably some thinking ‘Why all the hoo-ha?’
There is no doubt that incompetent net users put us all at risk because they propogate the trojans and visuses etc. They make it worth while for the hackers to write them. These ‘incompetants’ could, in fact might want to benefit from education that must sureley come before the proposed test. It could be incumbent on ISP’s to check prospective customers for competence or evidence of competence before signing them up. But, probably the ISP’s would be against this. And who pays?
Of course, this could be a solution for the unknowledgable, but what about the reckless who can easily pass the tests, but just don’t care?
I think the idea of internet proficiency tests as a requirement is really a bit of a non-starter. It would bring a regulation to internet use that has been fought against for many years. It would almost certainly change the face of the web. And once we accept the principle of regulation, governments and other institutions would build on it to regulate further.
It makes me think of the motor industry. The safer we make cars, the more reckless drivers become. I am sure there is an element of this. The average user thinks that a firewall and anti-virus protects them completely and they are fully immune to viruses etc. I know people who still say ‘why do I need anti-virus? I’ve got a firewall.’ I know people who do not update definitions- ever! And people for whom I have installed anti malware applications, set them to automatically run, update and clean, shown them how to use them effectively, then a month later need my help again because they turned them off. ‘It wouldn’t let me go to ‘lesbianlove.com’ or ‘I was fed up of the little pop-ups asking me what to do’.
There are those that can and will, and for those that can’t or won’t, there’s us.
i
Suncoastman Says:
June 1st, 2008 at 4:15 pm
I have a better idea. Why not have tests for stupid ISP’s that feel it is THEIR right to delete some incoming messages to my O.E. account that are NOT sp@m… these are MY messages, & it is I who should determine what I can & cannot receive….especially PAID newsletters.
Ah, but I can dream, can’t I ?
PDog134 Says:
June 5th, 2008 at 9:33 am
The two most appropriate comments: from Barc, who pointed out the Dr. Schinder was *not* talking about government regulation or licensing - pay attention guys! - and Chuck W., who made the obvious, but usually ignored, point that “you can’t fix stupid.”
That said, you can often minimize the effects of stupid, and you certainly fix merely uninformed.
I work for the military. It has a policy forbidding many computer practices and visiting non-work-related web sites, from the obvious to some a little obscure. We sign a form saying we understand the policy and will abide by it, and understand the penalties for violating it. We take occasionally have to on-line training in many aspects of computer and web security.
The military does its part as well. As its own ISP, it blocks a lot of non-work-related sites at the router or server level, and on rare occasions some it shouldn’t, like Intel. But there’s a mechanism for correcting the mistakes, and it works well most of the time. (Intel was unblocked in less than two days.)
On the whole the system works. We’re not terribly hindered by the blocking of inappropriate web sites, and with all the email I receive I get almost nothing hazardous. What I do get I either immediately discard it, or if it seems serious enough, report it. Before opening it.
Are users better prepared to spot phishing, for example, or a possibly compromised web site because of the training? Some say they are, some are already way ahead of the training, and some will never learn. Experience bears this out. Just like in the world at large.
The lesson here is that Doc S. is right. Licensed to “drive” on a (corporate or private, folks!) network? Maybe not. Trained and updated? You bet. And if the employer does its part, the system can work.