Terry Zink's Cyber Security Blog

Discussing Internet security in (mostly) plain English
Translate This Page
Common Tasks
Search Form
  • Advanced search options...
Tag Cloud
Monthly Archives
Archives

Does the computer security industry give good or realistic advice?

MSDN Blogs > Terry Zink's Cyber Security Blog > Does the computer security industry give good or realistic advice?

Does the computer security industry give good or realistic advice?

10 Oct 2010 2:40 PM
  • Comments 9

As a guy who works in the computer security industry, I am well aware of all the advice that we give.  Use different passwords at multiple sites that you login to.  Always install the latest software updates.  Run antivirus programs.  And for heaven’s sake, don’t click on any links in spam!  We sometimes get frustrated at the inexperience level of our general user base.  I actually back off on this because to most people who aren’t geeks, a computer is just a tool you use to check email, browse the web and talk to friends.  You aren’t really using it to do a lot of in-depth stuff.  Most people have better things to do like watch football on TV, go out with friends take walks in the park.  It’s no surprise they don’t understand the finer points of security anymore than I personally understand the finer points of the medical profession, or health care industry, or chemicals industry.  When I go to the store and buy a cleaning product, I’m vaguely aware that it’s kind of dangerous and shouldn’t be inhaled.  I don’t read all of the labels to see the chemicals involved in the product and then do a synopsis of whether or not I am allergic to each one.  Similarly, I’m vaguely aware that in order to maintain my weight I need to consume only as many calories as I burn.  I don’t really know much about omega fats, unsaturated fats, good and bad cholesterol, what my iron levels are, what amount of sodium and potassium I need every day, and so forth.  I just know to not eat sugary foods, eat enough fruits and vegetables, and exercise.  In other words, my knowledge is very limited compared to what a nutritionist would know.

To that end, my girlfriend and I were out the other night and I decided to test out what she knows about computer security.  I figured I was going to use her as a bellwether for the advice and education that we as an industry give out.  My girlfriend is not particularly techie; she uses a web browser to check her email and regularly checks travel sites, searching for deals for her next trip out-of-town.  She also browses one or two discussion forums.  That’s mostly, though not completely, what she uses a computer for – keeping in touch with a small set of interests.  She is not the type of person that has embraced the digital lifestyle (something that the computer industry keeps telling us will happen but is always 5 years out).  In my view, my girlfriend is far more representative of the average computer user than I am.  Thus, anything that she did or didn’t know is likely to be more or less in sync with the rest of the Internet population.  This, of course, is not a completely representative test because I am sampling one person whereas a true test requires a random sampling of 500 to 1000 users.  Still, I figured this was a good way to see how good our advice is.

I asked her a few questions.:

  • Do you know what a ‘bot’ is?  She answered no. 

  • What about a 'botnet’?  Again, no. 

  • Do you know what a ‘virus’ is?  She answered yes.  What is it?  It’s a program that makes your computer do all sorts of weird things.

  • Do you know what the term ‘malware’ means?  She answered no.  I explained that malware was a term that combined two others – malicious software.  But note what is happening here and how user education is lagging industry reality.  My girlfriend understood what a virus was – it made your computer do weird things.  This means that to the average user, you can tell if your computer is infected with a virus because it starts acting abnormally; the signs are obvious.  This used to be true in the early days of computer viruses when people would write them and get your computer shut down with weird messages or do odd things like play a sound when you typed a keystroke.

    Today, “viruses” are designed to hide from the end user.  Everything should appear normal and operations are transparent to the user on the machine which is infected.  Is it possible that we as an industry are doing a bad job at communicating the message that viruses are no longer obvious, they are hidden?  15-20 years ago, most users probably wouldn’t even know what a virus was and now they do, so progress has definitely been made on that front.  However, over the past 5 years the problem has evolved and education is still lagging.  For sure, in conferences where I go to, and in interviews of professionals, they mention that today’s threats are subtle, not obvious.  So, we get it.  But the general population does not.  We are not doing a good job at updating the message that viruses is the term we used to use, and malware is the new term and the symptoms are less obvious to people.  People will eventually start to learn this information but the lag time is dangerously long.

    If the general population doesn’t understand the new threat landscape, whose fault is that?  If I don’t understand the finer peculiarities and nuances to my health, that’s because I have a lot of stuff to do on a daily basis and in order to catch my attention, you have to drill the message into me.  If people do not understand what malware today is and what it does, then we need to look at how we are packaging the message.

  • Do you regularly apply security updates?  She answered yes, when the notifications pop up in the corner.  She is referring to Windows/Microsoft Updates and the Adobe update pop ups.  In that regards, the industry has made great progress in simplifying or automating the update process.  Unfortunately, not every piece of software out there does this automatically.  I then asked her if she does it right away, or sometimes waits a while.  She replied that sometimes she waits a while.  I smirked.  She then explained that she is doing stuff on the computer and doesn’t want to be interrupted.  What she means is that updates can sometimes take up a lot of processing time, but they also force you to restart the computer many times.  And nobody wants to restart their computer and start all over what they were just doing.  Rebooting can take several minutes and upon booting up can take just as long, it’s a bit of a pain, really.  We, as a society, want things done quickly and we don’t want to be interrupted.  I’m not sure how to get around this obstacle.

  • Do you use different passwords at different sites?  She kind of thought things through, and then answered “kind of” (I am paraphrasing).  She says that she doesn’t want to write them down, so she needs something that is easy to remember.  Because of this, she pretty much defaults to using a couple of different passwords at multiple sites.  Luckily, she uses a different one for the financial websites she uses.  But, she also said that the sites she logs into irregularly are prone to her forgetting the password.  So, that’s why she reuses the passwords, because there are so many she could possibly use but would never remember them and forever be resetting them.

    In my view, the advice “Use different passwords with upper and lower case letters, non-numerics… and different ones for each site” is some of the worst advice that the security industry gives precisely for this reason that my girlfriend gave.  I have the same problem.  There’s no way we can possibly remember so many different passwords with random characters (in order to increase their strength).  People forget them and so we use heuristics – mental shortcuts – to better facilitate cognitive processing.  One of those heuristics is password reuse.  Since we are insulated from attack most of the time, to most people the threat seems mostly benign.

    The trick that some people use is to have a standard password and then some sort of identifier with the web site you are logging into.  Perhaps you use a phone number, a dash and then the name of the site as the password you use.  This guarantees uniqueness of password.  Unfortunately, one of the problems I have encountered is that different sites enforce different password policies.  I have done this trick, but some web sites force me to not use my special character (in this case, a dash [which is not something I actually use]).  I can only use upper and lower case letters and numbers.  Some force me to use at least one capital letter.  Some have restrictions on the length of the password, meaning that my algorithm for figuring out the password has been broken.  The net result is that some web sites have idiosyncrasies that I can never remember… and forces me to end up resetting the password every time.  I find this particularly frustrating.  Why can’t there be a general set of password guidelines that web sites can follow such that they allow users to be consistent among them?  Without it, users revert back to insecure things like using the same username and password combination at every site.  We then complain that they shouldn’t do this… but then again, we forced them into it.

I think I asked a couple of more questions but that’s all I can remember.  As an industry, we are okay at getting our message out, but I think we also trip over a few things that need improvement.

Leave a Comment
  • Please add 4 and 8 and type the answer here:
  • Post
Comments
  • sherlock
    11 Oct 2010 12:00 AM

    nice one tzink

  • VM
    11 Oct 2010 12:24 AM

    Ever heard of password managers ?

  • dp
    11 Oct 2010 6:22 AM

    I started using the fingerprint reader on my laptop to track my passwords - i could create whatever was required for each site, different passwords, usernames, etc.  However, the first time i tried to log into even some of these sites on a different computer - well, you can guess the result.  People will resort to that which is easiest to remember and perform, even if it is not always in their best interest.  

  • David
    11 Oct 2010 6:33 AM

    I'm starting to wonder if strong passwords are important at all.  Given unlimited tries, cracking programs can break the strongest passwords I can actually remember or type reliably.  Given limited tries, even a moderately weak password is plenty of security.

  • mf55
    11 Oct 2010 7:40 AM

    Popularizing the term "malware" is better than trying to differential between viruses, worms, spyware, etc., for the end user. Unfortunately, there is not one software package that is a solution to everything.

    I share your frustration with password rules differing between sites. So I use tools like password safes or browser password storage. Yet I see little about the pros and cons of these tools written about in the industry.

    Ease of use is big for getting users to comply. Yet this is where weaknesses lie that malware will use.

  • Joe
    11 Oct 2010 12:16 PM

    I agree that the computer security industry has not done enough to move forward the average user in thier abilitites to identify security threats.  Education is the only way to do this, however the trick lies in the who, what, how, when, where, and why of things.

    Who do we train?  Is it our co-workers, our family, friends or only those who could be at the highest risk levels?

    What do we train them in?  Should it be when to update, how to maintain safe passwords (mf55 by the way I can get all of your passwords out of the browser storage without any trouble.. stick to the password storage tooos such as keysafe).

    How do we train?  Should there be public service announcements, special classes during the workday, an afternoon of training at home.

    When do we train?  Is highschool too late or should it start in middle or grade school?  Do we offer training during the day at work or special classes after hours?

    Where do we train?  Goes hand in hand with how and when.

    Why do we train?  Well this is answered by the author of the article to some degree.  SImply because our average users are not well trained enough.

  • Baffled
    11 Oct 2010 1:51 PM

    Can't agree more about the passwords issue. Particularly frustrating are companies whose policy makes you change your password every 30 days - that means every user has to now remember 11 more passwords each year than necessary, thereby hugely increasing the likelihood that they will get written down - especially for casual users - or somehow turned into a guessable sequence.

  • 11 Oct 2010 8:27 PM

    You should probably clarify on your algorithm example.  You're making it sound like it's a good idea to build a password out of something like a phone number plus the website's name.  While this guarantees uniqueness, it does nothing to protect you if even one of your passwords is compromised.  If your Facebook password is "5551212-Facebook" and is compromised, then you can bet that the attacker will be trying "5551212-PayPal", "5551212-Google", "5551212-BankOfAmerica", etc.  At that point, it's even worse than using the same password everywhere, because you're literally telling people that you have a system that you use multiple places, and giving them the password to all of your accounts.

    KeePass or similar password managers are really the way to go.

  • Me, mysel f and I
    11 Oct 2010 8:55 PM

    Your girlfriend doesn't play games     on her computer,    you say. Why don't you try to get her to use Linux? IMO, this would address two of the  security issues described above: updates being sometimes delayed    in order to delay rebooting, and regular updates to the antivirus program. Only kernel updates  get  you to reboot Linux, and anyway, the boot time for the latest Ubuntu/Kubuntu is below  30 seconds from power on until after login. Besides, a properly configured Kubuntu looks even  better than W7,   which is something     your girlfriend    would probably like. As for malware, I don't know of any botnet infecting Linux, or any Linux virus  in the wild.

Page 1 of 1 (9 items)