Why Internet security for average users?
Hello, my name is Kip and I’m a computer security junkie. My addiction started in 1992 and I’m still at it with no signs of stopping.
One day, while working really hard as the chief information security officer at an insurance company, I realized that so much of our organization’s network security was in the hands of ordinary users of our computers. That no matter how much my team did to safeguard our customer’s confidential data, no how much money we spent on our mission, all it would take was one average Internet using employee to cause major damage, either deliberately or accidentally.
That got me thinking about all my friends and family who have asked me to figure out why their computers were so slow or just misbehaving. And I thought about all the crud I would find when I finally got my hands on their machines. And how it was often impossible to undo the damage, so I erased their hard disks and had them start again from scratch. I heard the same questions: How did this happen? Where did I go wrong? How can I keep this from happening again? They were both mystified and embarrassed.
One of my friends had even spent $40 trying to buy anti-virus software from a browser pop-up window in the midst of his struggles with his computer. All he had to show for his effort was a compromised credit card. More embarrassment and frustration.
The point of this blog is to connect with you so we can figure out how average Internet users can be safe and secure online. My hope is we’ll discover some practical things that anyone can do. And, we’ll talk about why the Internet can be so dangerous. I have my own opinions on the topic and I intend to share them. And, no, I don’t think the situation is hopeless, nor are the people involved. But, there are major challenges. What do you think is the greatest challenge?
Explore posts in the same categories: The Problem
April 17th, 2009 at 2:01 am
I think “The Problem” may be broken down into a technical and a social part.
The technical part consists of issues that average users may not be able to easily resolve. For example:
*) OS vendors and/or system integrators that ship products without enabling “high” levels of security by default. In the worst cases, security features required to protect the system may not even be include
*) Application providers that do not preconfigure their default settings to the most secure values. In some cases, the product is configured to make the initial setup as fast as possible – to get things running – and the assumption is that “savvy” users will establish their own security settings. In a well-known case, Microsoft didn’t even enable by default its own (rather limited) firewall until a few years beyond the initial XP release.
*) Tech support staff are interested in getting customers problems solved, and often that involves taking security shortcuts that introduce dangers unknown to the non-specialist.
The “bigger” problem is more social and historical in nature: Some people are always trying to exploit more trusting, sometimes naive, people, and the Internet provides a near perfect medium for that. The “exploiter” can potentially be anywhere on earth. And there are hundreds of millions, perhaps even billions, of people who are online. In other words, the Internet is an ideal environment for fraud, and fraud and deceit are as old as civilization.
April 17th, 2009 at 3:49 am
Nice! Looking forward to hearing what you have to say.
Mark
April 17th, 2009 at 4:01 am
Thanks, Mark! Don’t be shy about sharing your thoughts with us…
April 17th, 2009 at 4:10 am
Hey, Ric! Thanks for dropping by. Your comment embodies so many things we need to discuss and deal with: Lack of incentives for software publishers; low levels of computer literacy among users; and plain old crime over a relatively new channel.
April 17th, 2009 at 6:51 am
Kip,
I think this is a great idea, can I share with some of the guys here at work (if they’re interested)? My most immediate question right now would be. I’ve been using AVG free anti-virus for years, and they’ve canceled there service. Who would you recomend for internet and e-mail security? We use MacAfee here at work, but it seems to slow everything down.
Have a great day.
Mark
April 17th, 2009 at 11:27 am
I think it is overwhelming for anyone who doesn’t at least “dabble” in IT to try to keep up with the security of technology. One thing I worry about is how easy it is for people to get info out of your cell phones.
A friend of mine had her CC and banking info stolen at an Internet cafe in South Africa last year. She thought something about the guy across from her seemed funny, but by the time she thought to check her accounts her checking account had been cleaned out completely. She never recovered the $7000.
April 17th, 2009 at 2:53 pm
Hello, Mark! Please share my blog with anyone who you think would read it. As for AVG, my sources say it’s still available free for personal use. Why do you believe it’s not anymore?
April 17th, 2009 at 2:59 pm
Carey, I wonder how much “dabbling” does someone have to do to keep up with Internet security? It would be great to be able to answer that question. As for cell phones, they are the new “on ramp” to the Internet; that trend is especially strong in the third-world nations where the cost of a PC is too high, but a phone isn’t. As for Internet cafes and online banking, they just don’t go together, EVER!
April 17th, 2009 at 3:56 pm
In theory (i.e., in my ideal world), securing a home computer should be no harder or more complex than protecting one’s home: Lock the doors and windows when you go out, don’t let in strangers. Maybe get an alarm system.
But for most PC-based home computers, users need to enable or adjust the firewall, install/update anti-virus software, do something about spyware, adware and Spam, plus manually or automatically backup all their critical files. No wonder cloud computing and web-based OSes are starting to catch on: Keep the home system dirt simple, and outsource everything else, including security
I’m not saying that this is the direction home computing will go, at least not in any hurry. But until/unless it does, I don’t see any way for Joe Average to handle all the security details on his own. Perhaps the best we can hope for is that he gets more cautious about social engineering, and learns not to trust every popup that appears.
One of the bottom lines is this: Any system that allows end users to install and/or reconfigure software using system/administrative privilege(s) can be turned against that user. And should that happen, it may well take some technical expertise to repair it.
April 18th, 2009 at 6:35 am
Kip,
You’re right AVG just upgraded. I’ve been getting a notification for the last month that the service was being disables. I guess it was a sales pitch.
Thanks and have a great day,
April 21st, 2009 at 10:43 pm
Ric, I’ve thought about your comment over the past few days. I like the simplicity of your vision and would like it to match our reality some day. What I’d like us to focus on right now, though, is today’s landscape. Considering both technical and non-technical possibilities, what is the minimum security baseline for average Internet users right now?
April 22nd, 2009 at 5:30 pm
While MSB is an important question (and many people reading this could come up with reasonable recommendations), the bigger questions are: 1) Whose responsibility is it to initially install/configure the various MSB components, 2) Whose responsibility is it to monitor the state of the MSB (to ensure it stays compliant), 3) Whose responsibility is it to detect and respond to attacks and compromises? 4) Whose responsibility is it to make sure that the entities of questions 1 – 3 are actually doing their jobs? [The "who will watch the watchers" issue.]
The answers to such questions would almost certainly include OS vendors, application vendors, system configurators (e.g., HP, Dell), and end-users (naive and misguided as they sometimes may be). One possibility would be to simply outsource this mess, down at the individual level. Many large organizations already outsource their IT and/or security operations to companies like CSC, Perot systems, HP, BT (Counterpane), etc. In theory, a company (like Symantec) could offer such a service to end users. The problem is that it would almost certainly be uneconomic (i.e., too expensive for most users). What user, having spent $750 – $1000 for a PC system would want to spend a hundred dollars or more (per year, my estimate)to some third-party to have it monitored? And what’s the liability model? If a system is damaged, how much risk is the outsource company exposed to? $500? $5000? It’s a complex problem.
I wish I had a better answer, because ultimately, users have the most skin in the game. They are using complex, *configurable* systems that can, under some circumstances, be turned against them and others, perhaps through no fault of their own.
Eventually more robust systems will be developed, just like safer cars and airplanes were. It’s just going to take time, and in the meantime, users are at risk.
May 7th, 2009 at 8:00 pm
Kip,
Your last paragraph sums up my similar thoughts and feeling about the state of personal use of computers and the Internet. I agree that the situation is not hopeless. It is a matter of changing thoughts and habits. Although not easy, it can be done and with more people like you out there, slowly we all become better at recognizing the threats out there.
I am looking forward to more of your posts!
May 7th, 2009 at 11:03 pm
IDBlackBox, what experiences have you had changing people’s computing habits so they can better protect themselves?
May 8th, 2009 at 11:17 am
3 quick stories for you, although not all my success is 100% computer related, but 100% information security related
Story 1 – after the TJ Maxx data breach, I have told everyone I know not to use a credit card in their store – pay cash. Last week, my wife was out with her parents at one of their stores. Right as they go into line, my mom in law proclaimed, “Oh, we can’t use CC here. Only cash!” So they tallied the cost of everything and made sure they had enough cash to pay for everything.
Story 2 – my next door neighbors put a computer out next to the side of the house. We know each other and say Hi, but we didn’t really hang out at the time. I secretly took the computer knowing the hard drive was probably in it. Took all the data off it and put it onto a DVD (LOTS of stuff on the drive). I then put the computer back, knocked on the door and handed them the hard drive and the DVD. They were shocked! The daughter was REALLY happy to get her stuff back as she thought she lost it all with the computer crashing. A couple of months later she brought over her laptop and had me fix everything. They now know never to leave a computer out like that
Story 3 – actually, this one is on my blog – “Not All AntiVirus Programs Are Created Equal” so I won’t type it all here.
Overall, anyone that has me fix their computer, in the past I would give them a list of general guidelines of what to do and what not to do. My blog kind of derived from this as well. A reference point these kind of people can go to after having their computer problems fixed by me.
Again, all I want them to realize is – be aware of what they are doing. If they don’t know, ask me and I will help to change their habits and way of thinking about computers and information security.
May 8th, 2009 at 12:42 pm
Thanks for sharing your experiences, IDBlackBox!