Today, I returned to work after some time off (trip to New Zealand, plus some medical recovery time). It’s good to be back sometimes, other than the place being nearly like a tomb, what with this being the interim period between Christmas and New Year’s and 50% of the people taking holidays.
Anyhow, I walked into the kitchen around noon and a couple of people greeted me, asking how I was doing. “Why, fine, thank-you,” I replied. Within the next couple of minutes, we were discussing some real life security stories.
When people find out what I do for a living – fight spam – I get two common reactions:
Today, one of my co-workers told me about (2) and how her mother was getting complaints from people in her address book that she was sending them spam. I can sympathize with that; I have had my Hotmail account hacked twice and my wife’s Gmail account has been hacked once. It took about ten seconds of hearing the problem from my co-worker to diagnose that her mother’s account had been hacked.
Here’s the problem: what are we supposed to tell my co-worker’s mother?
Another co-worker floated the idea that what he and his wife do is have two accounts – one that runs as an Administrator (on a Windows machine), and another that runs as User. The Admin has privileges to install software and is maintained by my more security minded co-worker, while the User account is for family. Whenever anyone needs to install a piece of software, the Admin user runs it. Otherwise, default action is to run as User.
That’s the model we use at work in order to maintain least privileged access to all the machines we have in production. It works because we know what we’re talking about. But if I were just a regular ham-and-egger, I wouldn’t be able to tell the difference between User and Administrator accounts. If I mentally run through the list of all of my less technically minded friends and family, not a single one of them would understand what I wrote in that paragraph above.
So what do we tell users?
My co-worker’s mother doesn’t have the technical skills to differentiate between elevated privileges, etc, and I am betting that 97% of the Internet population doesn’t, either. We talked about the need for strong passwords, but the futility of the random ones because nobody can remember 20-30 different passwords (I did bring up the point about using fast-words, that is, passwords that are phrases like thisismypassword). We talked about keeping software up-to-date, but I have seen a lot of people who are still on Firefox 3.6 and Internet Explorer 7.
Better security awareness is important, but how much should we, as security professionals, expect people to know? I couldn’t even tell someone how their account gets compromised. How did a hacker get their password? Did they click on a link in their spam? Do they have password reuse and a weaker site got compromised? And so forth.
When it comes right down to it, we have to make sure that security advice is simple and easy-to-follow. Here’s what I recommend at a minimum:
This was the basis of my presentation at this year’s Virus Bulletin conference, and I’ll get into a bit more detail in some future posts.