Re: [fw-wiz] The home user problem returns

From: Mason Schmitt (mason_at_schmitt.ca)
Date: 09/14/05

  • Next message: R. DuFresne: "RE: [fw-wiz] The home user problem returns"
    To: "Marcus J. Ranum" <mjr@ranum.com>
    Date: Tue, 13 Sep 2005 18:58:27 -0700
    
    

    >>I also don't think the user education problem is an epidemiological one
    >>either. To suggest that ignorance to a growing and changing computer
    >>security environment is somehow like a rapidly spreading pathogen is a
    >>little bit of a stretch.
    >
    > I'm sorry, I really screwed up my explanation. Can I have another throw?

    You may :)

    > Don't look at the problem from a "successfulness of prevention" standpoint,
    > look at it from a "propagation of failure" standpoint. With something like AIDS,
    > if you can make a significant percentage of the population aware of the problem,
    > you've made it possible for the "aware people" to enclave, meet, and breed, and
    > isolate the "unaware people" or those who have decided to argue in favor of
    > natural selection by taking risks anyhow. So, in an area where you can educate
    > 50% of the population about something like AIDS you've got a fair chance that
    > the 50% you educated will survive.
    >
    > Now, look at Internet security. If I educate 50% of the population about the
    > need to worry about security, I still lose - horribly - because the other 50% of
    > my population fails and their machines are used to attack the educated 50%!!

    Up to this point, I think that the basic education I'm suggesting works
    well in the home user's favour. If the newly educated home user is now
    chanting our mantra, they are going to have a reasonable level of
    protection from most of the automated attacks which is a big win.

    > That wouldn't be a problem except for transitive trust(*)

    I was only introduced to transitive trust when you started up a thread a
    while back concerning the CardSystems problem, so I'm obviously new to
    the details of the problem. So, a quick question if I may. Do spoofing
    attacks such as phishing fall under transitive trust? I'm fairly
    confident that pharming does.

     - a big chunk, I have
    > no idea how big, of the educated 50% would find themselves vulnerable to
    > attacks from trusted parties and would be vulnerable, and then you'd very
    > quickly be left with the only survivors being those who didn't trust anyone.

    If I'm reading this right( and I doubt I am, because I can't imagine you
    saying such a thing), you're suggesting that our newly minted
    residential security guru is going to have some sort of trust
    relationship with other home users on the net or even the same ISP?
    There is no trust relationship.

    The trusted parties that I can see actually being exploited themselves
    and thus being involved in attacking our home user (via the pre-existing
    trust relationship) are going to be the user's ISP's DNS servers and
    maybe mail servers, windows update site, anti-virus update site, maybe
    some others like that. Or if they are attached to work via a VPN -
    problems at work.

    Now, stepping outside of actual network attacks, you start to get into
    identity theft through the home user's interaction with e-commerce
    sites, their bank, their government... yada yada yada.

    Is this the scope of the transitive trust issue? If it is, then I'd say
    that we made some great headway by getting home users to do a modicum of
    host hardening on their home pc, this will deal reasonably well with
    automated attacks and even some social engineering ones such as Anna K.

    If I'm missing something please help educate me.

    > Another factor is that the environment would become poisoned after a certain
    > point. I am on a satellite internet hookup (pity me!) and when there's a new
    > worm out there doing a lot of scanning I can pretty much rest assured that
    > I will have no internet access for 2 or 3 days.
    > I call this "adaptive packet
    > clogging intrusion prevention" -- it's effective but annoying. Wait 'till Gartner
    > hears about it.

    ROFL!!

    >
    > So, that's a lot of why I am so hard on the topic of user education. Unlike
    > other problem areas where education is effective, user education in
    > computer security is of questionable value because the propagation
    > effect of one user making a mistake can overwhelm the results of your
    > educational programme instantly. We've ALL heard the stories of the
    > dweeboid executive who brings his laptop into the corporate WAN and
    > plugs it in and releases something awful behind the firewall, right? Well,
    > in 1/4 second, the entire educational programme at that organization
    > was utterly mooted. When you're fighting AIDS or illiteracy, local
    > failures do not propagate into massive system-wide failures.
    >
    > Please - don't get me wrong: education is great. But if corporations want
    > to improve their security, it's not a particularly effective investment

    Right, but the rogue laptop user connecting to the soft underbelly of a
    corporate network is very different than our single home user scenario.
     Very different. Perhaps you are correct that user education in
    corporations is a lost cause, but I still don't think I have sufficient
    reason to doubt that home users are a lost cause. They're the ones that
    we're so worried about aren't they? Isn't that what we've been talking
    about, or have we moved on to user education in general rather in a
    specific context?

    > [Below I will use the term "Mechanism" here to abstractly mean
    > "technological enforcement system" - firewalls, AV, attachment stripping,
    > IPS, APCIP, whatever. Loosely, you can think of it as "something that protects
    > the user whether they want it to or not"]
    >
    > I guess there's a matrix we'd want to explore:
    > #1 - No Security Mechanism, No Security Education
    > #2 - No Security Mechanism, Security Education for users
    > #3 - Security Mechanisms in place, No Security Education
    > #4 - Security Mechanisms in place, Security Education for users
    >
    > I predict that of those 4, the security differences between #3 and #4 would be
    > minor.
    > I further predict that the difference between #1 and #2 would be minor.
    > I would also predict that the largest difference would be between #4 and #1.
    > Put more simply: my guess is that the measurable impact of education
    > versus mechanism is minor. Add some cost factors in and you could
    > make a WAG at an ROI for security education. Then you'd take your
    > education programme out and shoot it.
    >

    Very good argument. Again, in the context of an enterprise environment,
    I agree. Actually, I take that back. In the home user context I fully
    agree too. If a home user is completely clueless but has the basic
    protections in place, then they are effectively at #4 on your matrix.
    That's where most of the "Security Education" needs to be with home
    users. That's why I keep bringing up the "mantra". If we can just get
    that far, then we've made a huge win.

    --
    Mason
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    

  • Next message: R. DuFresne: "RE: [fw-wiz] The home user problem returns"

    Relevant Pages

    • Re: [fw-wiz] The home user problem returns
      ... Now, look at Internet security. ... That wouldn't be a problem except for transitive trust(*) - a big chunk, ... that's a lot of why I am so hard on the topic of user education. ...
      (Firewall-Wizards)
    • Re: [fw-wiz] The home user problem returns
      ... Marcus and most of the rest of you, please keep preaching solid security ... When it comes to the home user, ... trust and in whom they place their trust and whether that trust is ... 4/5 basics, they should read Marcus' "Low Carb Security" article in ...
      (Firewall-Wizards)
    • Re: Security Education in the Workplace
      ... You said you did threat modelling. ... building better security tests and have them hooked into the master build ... used to approach the education in the workplace, ... This would mean in many cases the materials ...
      (SecProg)
    • RE: User Education (was: New article on SecurityFocus)
      ... Those responsible for the education ... > security relates to their job - about the only time they run into it is ... > Audit your website security with Acunetix Web Vulnerability Scanner: ... Cross site scripting and other web attacks before hackers do! ...
      (Pen-Test)
    • RE: Why Easy To Use Software Is Putting You At Risk
      ... So even if you do not want the piece of paper - education never hurts. ... Can Easy To Use Software Also Be Secure ... because DNS does not configure properly or security permissions are ... easier to work with then they use to is developers have created ...
      (Security-Basics)