Firewall Wizards mailing list archives
Re: The home user problem returns
From: Mason Schmitt <mason () schmitt ca>
Date: Tue, 13 Sep 2005 18:58:27 -0700
I also don't think the user education problem is an epidemiological one either. To suggest that ignorance to a growing and changing computer security environment is somehow like a rapidly spreading pathogen is a little bit of a stretch.I'm sorry, I really screwed up my explanation. Can I have another throw?
You may :)
Don't look at the problem from a "successfulness of prevention" standpoint, look at it from a "propagation of failure" standpoint. With something like AIDS, if you can make a significant percentage of the population aware of the problem, you've made it possible for the "aware people" to enclave, meet, and breed, and isolate the "unaware people" or those who have decided to argue in favor of natural selection by taking risks anyhow. So, in an area where you can educate 50% of the population about something like AIDS you've got a fair chance that the 50% you educated will survive. Now, look at Internet security. If I educate 50% of the population about the need to worry about security, I still lose - horribly - because the other 50% of my population fails and their machines are used to attack the educated 50%!!
Up to this point, I think that the basic education I'm suggesting works well in the home user's favour. If the newly educated home user is now chanting our mantra, they are going to have a reasonable level of protection from most of the automated attacks which is a big win.
That wouldn't be a problem except for transitive trust(*)
I was only introduced to transitive trust when you started up a thread a while back concerning the CardSystems problem, so I'm obviously new to the details of the problem. So, a quick question if I may. Do spoofing attacks such as phishing fall under transitive trust? I'm fairly confident that pharming does. - a big chunk, I have
no idea how big, of the educated 50% would find themselves vulnerable to attacks from trusted parties and would be vulnerable, and then you'd very quickly be left with the only survivors being those who didn't trust anyone.
If I'm reading this right( and I doubt I am, because I can't imagine you saying such a thing), you're suggesting that our newly minted residential security guru is going to have some sort of trust relationship with other home users on the net or even the same ISP? There is no trust relationship. The trusted parties that I can see actually being exploited themselves and thus being involved in attacking our home user (via the pre-existing trust relationship) are going to be the user's ISP's DNS servers and maybe mail servers, windows update site, anti-virus update site, maybe some others like that. Or if they are attached to work via a VPN - problems at work. Now, stepping outside of actual network attacks, you start to get into identity theft through the home user's interaction with e-commerce sites, their bank, their government... yada yada yada. Is this the scope of the transitive trust issue? If it is, then I'd say that we made some great headway by getting home users to do a modicum of host hardening on their home pc, this will deal reasonably well with automated attacks and even some social engineering ones such as Anna K. If I'm missing something please help educate me.
Another factor is that the environment would become poisoned after a certain point. I am on a satellite internet hookup (pity me!) and when there's a new worm out there doing a lot of scanning I can pretty much rest assured that I will have no internet access for 2 or 3 days. I call this "adaptive packet clogging intrusion prevention" -- it's effective but annoying. Wait 'till Gartner hears about it.
ROFL!!
So, that's a lot of why I am so hard on the topic of user education. Unlike other problem areas where education is effective, user education in computer security is of questionable value because the propagation effect of one user making a mistake can overwhelm the results of your educational programme instantly. We've ALL heard the stories of the dweeboid executive who brings his laptop into the corporate WAN and plugs it in and releases something awful behind the firewall, right? Well, in 1/4 second, the entire educational programme at that organization was utterly mooted. When you're fighting AIDS or illiteracy, local failures do not propagate into massive system-wide failures. Please - don't get me wrong: education is great. But if corporations want to improve their security, it's not a particularly effective investment
Right, but the rogue laptop user connecting to the soft underbelly of a corporate network is very different than our single home user scenario. Very different. Perhaps you are correct that user education in corporations is a lost cause, but I still don't think I have sufficient reason to doubt that home users are a lost cause. They're the ones that we're so worried about aren't they? Isn't that what we've been talking about, or have we moved on to user education in general rather in a specific context?
[Below I will use the term "Mechanism" here to abstractly mean "technological enforcement system" - firewalls, AV, attachment stripping, IPS, APCIP, whatever. Loosely, you can think of it as "something that protects the user whether they want it to or not"] I guess there's a matrix we'd want to explore: #1 - No Security Mechanism, No Security Education #2 - No Security Mechanism, Security Education for users #3 - Security Mechanisms in place, No Security Education #4 - Security Mechanisms in place, Security Education for users I predict that of those 4, the security differences between #3 and #4 would be minor. I further predict that the difference between #1 and #2 would be minor. I would also predict that the largest difference would be between #4 and #1. Put more simply: my guess is that the measurable impact of education versus mechanism is minor. Add some cost factors in and you could make a WAG at an ROI for security education. Then you'd take your education programme out and shoot it.
Very good argument. Again, in the context of an enterprise environment, I agree. Actually, I take that back. In the home user context I fully agree too. If a home user is completely clueless but has the basic protections in place, then they are effectively at #4 on your matrix. That's where most of the "Security Education" needs to be with home users. That's why I keep bringing up the "mantra". If we can just get that far, then we've made a huge win. -- Mason _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: The home user problem returns, (continued)
- RE: The home user problem returns Paul Melson (Sep 13)
- Re: The home user problem returns R. DuFresne (Sep 13)
- Re: The home user problem returns Mason Schmitt (Sep 13)
- RE: The home user problem returns Paul Melson (Sep 13)
- Re: The home user problem returns Paul D. Robertson (Sep 13)
- Re: The home user problem returns Marcus J. Ranum (Sep 13)
- Re: The home user problem returns Mason Schmitt (Sep 13)
- Re: The home user problem returns Marcus J. Ranum (Sep 13)
- RE: The home user problem returns Tina Bird (Sep 13)
- RE: The home user problem returns Marcus J. Ranum (Sep 13)
- Re: The home user problem returns Mason Schmitt (Sep 14)
- Re: The home user problem returns R. DuFresne (Sep 13)
- Message not available
- Message not available
- Re: The home user problem returns mason (Sep 14)
- RE: The home user problem returns Paul Melson (Sep 22)
- Re: The home user problem returns Mason Schmitt (Sep 13)
- RE: The home user problem returns Paul Melson (Sep 13)
- Re: The home user problem returns Mason Schmitt (Sep 13)
- Re: The home user problem returns Jim Seymour (Sep 13)
- RE: The home user problem returns Tina Bird (Sep 14)
- RE: The home user problem returns Paul Melson (Sep 22)
- Message not available
- Re: The home user problem returns Mason Schmitt (Sep 12)