We've Won the Battle -- Users Make It Impossible to Win the War
As a security professional, you realize that security is a process, it's a state of mind, and it's a continuous technological game of cat and mouse against the bad guys. In many ways, the situation is no different than that we encounter in medicine. There is a constant race between pharmaceutical companies and bacteria and viruses. Each time a new antibiotic or antiviral agent is developed, the bacteria or virus is able to defeat it by mutating to a strain that is resistant to the antibiotic or antiviral agent. The pharmaceutical companies then need to come up with a new drug to combat the mutated strains. This has been going on since penicillin was discovered and will continue until the end of time.
However, we have reached at least a dynamic balance, and for the most part, the battle against infection has been won. Sure, you read about high profile cases of Methicillin resistant Staph Aureus (MRSA), but the actual number of cases are infinitesimal. HIV is a bigger problem, but I believe that we'll win that battle too. However, we'll likely never win the war.
I believe that we have the same situation in the computer security scene. We have a wide variety of technologies that can be deployed at every level that can help us defeat the bad guys. The bad guys come up with a new worm or virus or trojan, our technologies are updated to defeat it. We're in a state similar to that in medicine now, where we have a dynamic balance indicating that we've won the battle against the bad guys. However, in the same way that we've won the battle against infection, we'll likely never win the war.
Why? Users. Look at the HIV situation. It's really easy to not get HIV if you adjust your behavior (let's exclude the unusual cases, such as blood transfusion). It's really not to get a virus, trojan, bot, or not to lose information due to a phishing or other social engineer scheme -- just change the user's behavior.
Users still click on links from untrusted individuals, they still go to Web sites that they should not go to, they still download programs and applications from untrusted sources, they still enter personally identifiable information on phishing sites, and they still open email attachments. They still do all the things they were doing ten years ago, and they're even doing it in greater numbers and more often.
If you look at the major security incidents in the last three years, you'll see something interesting. The incidents didn't take place because there weren't enough firewalls in place, they didn't take place because there wasn't enough AV or AM software installed, they didn't take place because of lack of perimeterization, and they didn't take place because of a lack of an SSL VPN.
They almost all took place because the user did something unwise from a security point of view.
We will never get close to winning the war if we don't require that users meet minimum knowledge requirements for using a networked computer. In the past there were discussions of an "Internet Drivers License" and at the time I thought the idea was ridiculous. It just goes to show that I'm wrong more often than right, because the Internet Drivers License concept is probably the only thing that will get us close to winning the war against bad guys.
I therefore propose that no user should be allowed to work on a networked computer without passing a test and requalifying ever year. The test would show that the user can tell the difference between a real email message and a scam message, that the user can tell what a safe Web site is from an unsafe site, that the user doesn't open email attachments from untrusted users, and can tell whether or not an attachment from trusted users is safe, and that the user is able to recognize a number of social engineering exploits.
This solution won't be a panacea, but it will be a major step in the right direction. Will it ever happen? I think so. Governments from all over the world are increasingly insinuating themselves in the personal lives of their citizens, and a national security argument can definitely be made for this type of requirement.
What do you think?
Thomas W Shinder, M.D.
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: [email protected]
MVP - Microsoft Firewalls (ISA)