Herley states that most security advice offers a poor cost-benefit tradeoff to the user, leading to rejection of that advice. He offers an economic-based analysis of three pieces of well known security advice: password rules, recognition of phishing sites by reading URLs, and certificate errors. And he argues that users believe the effort they have to put in to comply with best practices is more onerous than the actual risk of being compromised due to such an event.
In his conclusion, Cormac says that "users are never offered security, either on its own or as an alternative to anything else. They are offered long, complex and growing sets of advice, mandates, policy updates and tips. These sometimes carry vague and tentative suggestions of reduced risk, never security."
This made me think about the practice of cyber security today. I can open up any book in my library on information security and see the same recommendations found in any company's security policies. But we still have issues with rootkits and phishing. We push our developers and vendors to deliver solutions with sound security built in, but we still get less than optimal solutions from a security standpoint.
There are the OWASP Top 10 2004, 2007, and 2010 release candidates, and we still have cross-site scripting, injection attacks, and broken authentication on each list. The PCI Security Standards Council lists a lot of best practices as advice, but we still have spectacular issues such as Heartland Payment Systems. Is it that no one cares? Or is the effort greater than the cost of the incident?
I agree with Herley on his assessment. Take password complexity for example. If the number of passwords we need is small (1-3), it may not be a burden. But we access many Websites that require credentials. When the number increases, the effort (cost) of having to remember multiple, hard passwords becomes far greater than the risk of compromise to the user. If there is a keylogger involved, the effort to use complexity becomes a total waste.
What, exactly, is the risk? Are we talking about a corporate financials system, or a Website to see photos from the family reunion? The difference is compromised photos of Uncle Joe vs. a strategic enterprise system, leading to termination of employment.
And what is the impact? Look at the number of botted machines on the 'Net. The owners of the machines generally don't know they are botted, and they experience no loss, other than poorly performing PCs. According to a report in the Boston Globe, a review of TJX’s compliance to PCI Security Standards revealed that the company met only three of the 12 requirements. The Electronic Transactions Association noted that TJX was aware of these deficiencies in 2004, and took no action to correct them. My guess is the cost-benefit tradeoff was probably acceptable to TJX at that time. They probably have a different opinion today.
We as cyber-security professionals must be cognizant of real risks when we give advice or make policy. We must also communicate the real risk clearly in some manner other than FUD. The users have an idea of what level of risk they are willing to assume. If the risk is too much for them, they will comply.
— Bruce Kaalund is the cyber security group leader for a large telecommunications company.
I agree with your view, Mike, that it is an OS problem. I like your clear outline of the different elements and the associated impact!
I think the major OS's should post a security level that is built into their system for consumers and corporate purchasers to assess the tools, filters, and security shields that are a part of the OS. I think then the End-User will be better able to assess and manage their risk.
Ira, I want to live in this perfect world of yours..really. There was just a local escalation vulnerability disclosed that affects EVERY MS operating system since NT 3.1. How are ANY of those 8,000,000 users supposed to do anything about that?
The VENDORS have to react and post patches (I can count the out of bandwidth patches on one hand). Timely is not in their vocabulary.
What does everyone in your perfect world do while they wait for the problem(s) to be fixed?
Security IS an OS issue, and the prevalent OS of the day is some flavor of MS.
Before everyone starts FLAMING just realize that there is a 17 year old zero day announced today that affects every OS from NT 3.1 and on that will allow access to the coveted 0 ring.
as long as the industry continues to try to patch things in the application boxs the security problem will continue..... do { hack hack fix fix hack hack fix fix } while(1);
Why? Because there is no limit to the amout of application code out there. You execute tons of it every time you use your web browser: Each Web Page IS an Application Program; your browser runs them for you... Excel documents may contain executable macros and nobody knows what e/mail contains...
The O/S, on the other hand is finite.
Consider the folllowing illustration
You have two types of software running in your computer:
O/S
Application
Your O/S runs in RING0 and has control of your machine
Your application software runs in RING3 and is not allowed to:
initiate I/O
allocate memory
access memory of the wrong color, i.e. memory that has not been allocated to it by the o/s
I remember like yesterday when we transititoned from 1401 to System/360
The autocoder programmers were hunting through the assembler manual looking for the instruction to read a card
it wasn't there because we all had to ask the operating system to read that card for us
this was cultural shock
folks that grew up on PCs still don't "get it", they view the machine as monolithic -- like the 1401 autocoder programmer
it ain't; it's like the System/360 and has been since Intel put security into 80386 -- although MSFT didn't take any action on this until XP/SP2 Aug.2004 ( yuk )
what does all this mean?
a Secure Operating System does not allow an application program to run; it only simulates what would happen if that program were allowed to run. The application must make all requests for I/O and memory access via the O/S. Each request is checked to make sure the requestor has the proper permissions. If an application program tries an actual I/O command on its own instead of making a system call*1 -- or attempts to access memory that has not been allocated to it (wrong storage protect key("color"))*1 -- or asks for a read or write for an area it does not have permission for*2 -- it will be ABENDed and DUMPED.
What this means: It absolutely does not matter what is in that attack program in the above illustration, it isn't going to be allowed to do anything anyway.
the O/S monitors application program behavior -- not its programming
the implications are enormous: only the o/s code needs to be of TRUSTED quality; it doesn't matter what is in the application code
and if you are going to read web pages you have to have this kind of system: nothing less will do: you will get infected.
Privilege Escallation
Here is where UAC still gets into trouble
IF the Attack Program is permitted privilege escallation then it can use ordinary system calls to update the victim O/S
All of your malware defenses are reactive, people have to get hit....
Once malware is exposed then the industry fixes the holes, makes the patches. If you are in the unlucky 1 or 2 percent that gets hit before the patch or update is distro'd then you're hit.
Going back to the automobile analogies, how many people get killed before the NHTSA force a recall? Comforting if you're one of the ones killed.
Studies by both the CERT and DISA have shown that just about all successful attacks could have been prevented with the timely application of vendor patches and properly configuring computer systems. Information on both of these is widely available. With the extremely rare exception of zero day attacks, which get more press than their actual incidence, all attacks are preventable.
You can look at some of the most prolific attacks we have experienced, and they all should have been non-events. Blaster, Slammer, Sasser, Conficker, Code Red, Nimda, etc. were all completely preventable with month's old updates, and yet the caused billions of dollars of damage. We are still seeing Conficker spread. This should be unacceptable, and this whole "poor user" attitude does nothing but encourage continued negligence.
smk:="{snip}...On the positive, it prevents malicious code."
nothing of the sort is intended: such is un-attainable
what is attainable is making the o/s control the behavior of application code and that is how you get security
in a properly secured computer no effort is made to control the content of an application program: it isn't necessary. Instead we control the activity of the application program
a web page is an application program
i absolutely do not care what you put in your web page
what i am concerned with is what your web page tries to do
i cannot imagine any attempt at controlling web page or application program content
but the method of controlling what a web page or application program is allowed to do is known
now if this is a human interaction discussion this is very important because what humans can or cannot do -- or what they do and don't do -- directs what is required with respect to security in an o/s.
That is the most inane and unsubstantiated and unsubstantiatable claim I have EVER heard. 99% might be preventable by an EXTREMLY cautious and paranoid security professional, but NOT by any normal business or home user.
I'm not quite sure I follow where you're going with this. I thought this was a more high level discussion of human behaviour in regards to security, computers and the Internet.
If you're talking about business being forced to adapt greater security I can certainly see that happening.
If you're talking about changing the way consumer products work... that'd be an interesting proposed solution. If all consumer machines are required to work with specific networks which have built-in security compromise checks, I can see a gradual model shift.
This security model would naturally restrict many of the freedoms that made the 'Net so attractive in the first place. You would be restricted to a network of pages which are either directly approved by your government, or are administrated by companies who operate according to regulation.
This would mean that if I wanted to create a web page, my host provider actually restricts what kind of code I can use, either using approval, pre-generated blocks (like Squidoo), or I pay to have them do it for me.
On the positive, it prevents malicious code. Prevention is placed on market providers who are to make sure that they are impervious to hacks and not allowing anyone to use malicious code.
On the negative, it places all content generated from a company to monitoring and censorship of their government. Not all governments are created equal and all governments tend to do something really stupid at some point when it comes to technology. That is the price of security.
And naturally, for those wishing total freedom (and also putting themselves at risk) there will be pirate or private networks which will operate like the current 'Net. Even if outlawed, impossible to eliminate and likely easy to tap into as the demand will be there for total freedom at the price of security.
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
Big-data and analytics tools enable marketers to understand customers as individuals, identifying unmet needs and addressing each customer as a "segment of one," says John Kennedy, VP corporate marketing, IBM.
New York's Metropolitan Transit Authority is conducting a pilot test of digital kiosks to guide subway users to where they want to go more efficiently and at lower cost.
The whole Amazon.reader debate is a double-stupid. It's stupid to think that there's any e-book buyer who doesn't know Amazon's URL, and it was stupider to let ICANN launch the whole free-form TLD initiative to start with.
While NFC's original goal was to enhance mobile commerce applications, it is finding its way into a number of other uses, which is creating both opportunity as well as challenges for IT departments.
Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
Edmunds separates customers into segments based on the info it collects on its site and from partners, and uses that to push out custom content, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
The IBM Smarter Commerce Global Summit in Monaco kicked into high gear today, and we've already begun to see news emerging from that lovely city-state by the sea.
Expert Integrated Systems: Changing the Experience & Economics of IT In this e-book, we take an in-depth look at these expert integrated systems -- what they are, how they work, and how they have the potential to help CIOs achieve dramatic savings while restoring IT's role as business innovator. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?
To save this item to your list of favorite Internet Evolution content so you can find it later in your Profile page, click the "Save It" button next to the item.
Email This
