Enabling Better Trust Decisions
- In the “Establishing End to End Trust” whitepaper Scott Charney discusses how a lack of accountability on the Internet ultimately makes it very difficult for users to make reasonable trust decisions (page 8, last paragraph).
Of course, there is plenty of data that supports the idea that sub-optimal trust decisions are being made all the time. For example, in the latest Microsoft Security Intelligence Report, one related data point that supports this is the explosive persistent growth the threat known as Zlob. Win32/Zlob spreads primarily through social engineering. It typically poses as a media codec a user must download to watch video content downloaded or streamed from the Internet. Once installed on the target computer, Zlob bombards the user with pop-up advertisements and fake “spyware warnings” that are actually advertisements for rogue security software. Since the first half of 2007, Win32/Zlob has been the malware family most detected by Microsoft products by a wide margin. In the first half of 2008, it was removed from more than twice as many computers worldwide as the second most prevalent family (8+ million compared to 3+ million).
There are many other examples of threats that are very successful at using social engineering tactics. Prior having the trusted stack as Scott outlines in the paper, and in the case of Zlob, where the user chooses to download and install a media codec, which typically involves accepting several prompts/warnings, what other information/data/warnings, etc do you think would be more effective in warning and protecting users from such threats? Are more visual clues really going to be successful or is user education the essential ingredient that will ultimately work? I.e. what does the industry have to do to enable better trust decisions in the short term?
全部回复
- Hi Tim - Below are some brief ideas:
>> what other information/data/warnings, etc do you think would be more effective in warning and protecting users from such threats?
Users need to be both taught and discouraged from falling into social engineering traps. While corporate users have that in their best interest, home users may not. Yet as an incentive, the home user should recognize they can spend hours trying to remove malware and to get back to where they were before they clicked on that dangerous web link or file.
Companies need good corporate policies and guidelines. For example, a strong business use policy will discourage folks from going to P2P or inappropriate sites. Users need to be encouraged in a positive way when it comes to security. A robust Intranet site containing all security policies, best practices, alerts, and other factors will help. If users learn to protect their home systems the same way as work, they may listen more as it personally benefits them.
>> Are more visual clues really going to be successful or is user education the essential ingredient that will ultimately work?
Companies need to actively invest more in the area of "security awareness". Security consists of two primary defenses:
1. Best Technical Safeguards
2. The Human Side - Best Practices and Security Awareness
Often, companies don't want to involve the users due to bad past experiences or they can't learn. While you can't reach everyone, MOST users can be taught the basics and it's even a good investment given the expense/liability of corporate data leaking out to unauthorized users.
As I learned in one of my formal security classes, SECURITY = SEC-U-R-IT-Y or "You are it". This means everyone from the janitor to the CEO plays a role in safeguarding the companies informational and intellectual property assets. Security education needs to be a continous process.
>> what does the industry have to do to enable better trust decisions in the short term?
The industry needs to quickly promote the dangers and alert companies. For example, when a new threat like Conficker emerges, companies need to take the time to evaluate the nature of the risk and the best way of mitigating it. An ounce of prevention is worth a pound of cure. There are numerous blogs and resources that promote safety or the latest dangers.
Secondly, the industry needs to go after and stop the bad guys if they can. It's difficult in the context of international laws and the free nature of the Internet (which is not heavily policed). Still, when spammers or malware authors are caught it can discourage others from getting involved in launching these attacks.
Harry Waldron, Microsoft MVP - Enterprise Security - Perhaps Mcrosoft could utilise the duel purpose of .net code's ability to run as... let's say VB and as a binary. How long before that becomes a liability?
As Mr Waldron suggests, it wouldn't hurt to emphasisize and re-enforce security as a problem but I recall setting up an educational institution on IPX/SPX, developing an MD5 checksum, and virus scanner for students bringing files into school's workstation only to still have to do clean-ups for known and collected a few zeroday that are zeroday up to today (Wolfgang varriant). The only security that works is when it is socialy re-enforced or tagged for ownership and responsibility. With the economy, several cases have come to light where for example, a sys admin trained his H1b only to be laid-off once the fellow became proficient (to the analysis of the businesscrates). Parlezed his knowledge to whoever would listen. This is not a good business strategy and almost cries-out for a life guard action.
Pappkartoosh
Just another speck in a fibernachi sequence of stars about to be reordered by Andromeda
