Computerworld - I can't stop thinking about my experience last month when I had to reload Windows XP for a friend. It makes me think we need to reconsider how we in the security world have failed the consumer. Should it really be necessary for a consumer to be a security expert to safely use a computer?
That seems to be our message. "You should have known not to click that link," we say. "Why would you trust that that e-mail actually came from your mother?" We get disgusted that users keep falling for old tricks. But what are we doing to actually help these people?
We should start by better understanding the misconceptions about e-mail and Web site safety that pervade the user base. For example:
If an e-mail looks authentic, it is safe. We seem to believe that every user should be as jaded as we are. After all, spam mail, phishing attacks and all the rest have been around for years, right? We techies aren't surprised when the attacks appear to be legitimate emails. Why do users not suspect everything the way we do? We expect deception in cyberspace to be as common as it is in nature. But we shouldn't forget that a suspicious nature, so beneficial in our profession, isn't necessarily helpful to the work our users do. Instead, we are surprised -- indeed, amused -- when our well-intended users respond to an attack. And yet, really, when one of my family members last week got caught up in the wave of fake Amazon cancellation notices, what did he do that was so wrong? He responded to a message that looked legit to him, especially since he had just placed an order with Amazon.
This e-mail came from someone I know, so I know it's safe. Again, as security pros, we are aghast that anyone could not be aware that spammers and other e-mail attackers have for years been sending out their attacks with forged "From:" addresses. We understand the mechanisms that allow the bad guys to pose as our friends. And even my friends and family members who are not very computer savvy realize that I would not contact them trying to sell black-market Viagra. But sometimes the sender and the message converge, as they did for the family member who had just placed an order on Amazon, and so they respond. "How could that e-mail not be from Aunt Lucy?" they want to know. I always tell them that e-mail messages, like postal envelopes, can be trivially made to contain any "From:" address the sender chooses to use.
If a friend on Facebook or Twitter posts a link, it's safe. As Facebook and Twitter have risen in popularity, a community of attackers has come along for the ride. These are the same people who have been sending spams and scams over the years, and they are now targeting our social networks. By using various Web application attacks like cross-site scripting (XSS), messages can be posted that look like they are from your friends. They are not legitimate, but they look like they are. (Are you seeing a trend here? Deception works
If I merely view a message, without clicking on any attachments or links, I'm safe. Sometimes even naïve users know that a message doesn't pass the "sniff" test, but they figure there's no harm in viewing it just to be sure. Well, there are several ways an attacker can send e-mail attacks without requiring the victim to click on a link (including HTML IMG or IFRAME tags, combined with a reflected XSS on a vulnerable site). Many of these techniques can be just as dangerous as clicking on an executable file attachment. Again I have to ask, Why do we expect users to know this?
If I go to the URL, but don't do anything while I'm there, I'm OK. Taken one step further, what's the danger in following a URL if you don't actually do anything on the offending site? The answer is plenty. But are users at fault for making the assumption?
If my browser displays the locked padlock, then the site is secure. We've been telling people to use SSL for years, right? Are we now saying that an SSL-encrypted site isn't necessarily safe or secure? Of course we are. Think about the message we send users when we tell them things like that.
None of these user actions is unreasonable, from their perspective. We techies need to recognize that even our most well-intended users will do these things from time to time without knowing any better. They'll do them not because they are stupid, but because they just don't share the security techie knowledge that we have. And they shouldn't need to!
Solving application issues over the WAN requires careful consideration. Based on their independent research, Forrester Consulting offers recommendations on how to tackle application performance issues, insufficient bandwidth and the inability to quickly restore users in a disaster.
Security is not an option. This KnowledgeVault Series offers professional advice how to be proactive in the fight against cybercrimes and multi-layered security threats; how to adopt a holistic approach to protecting and managing data; and how to hire a qualified security assessor. Make security your Number 1 priority.
New IP-based communications systems are being deployed by small and midsized businesses at a rapid rate. Learn how these organizations are enabling faster responsiveness, creating better customer experiences, speeding office or mobile interactions, and dramatically reducing existing communications costs.
Custom malware frequently goes undetected. According to Forrester Research, the best way to reduce risk of breach is to deploy file integrity monitoring...
Streamline, simplify, and automate compliance related activities; especially those that impact multiple business units. This white paper from NetIQ, outlines solutions that will...
Join guest speaker, Rohit Mehra, IDC Director of Enterprise Communications Infrastructure, to explore current trends, discuss best practices for optimizing Data Center and...
Download this webcast to learn about the design considerations for virtualizing SQL workloads, performance and scalability information and high-availability options, as well as...
Download this webcast to learn the virtual hardware design considerations for Exchange 2010, deployment using the building block approach, options for high-availability and...
Virtualizing business-critical applications has become a key focus for organizations as they move along their virtualization journey. With the launch of VMware vSphere®...
Free Insider Guide