We are spending billions on protecting the enterprise from hackers and malware, but we’re letting the rest of the world burn around us. Most of what matters on the Internet isn’t giant corporations or social networks, it’s the average user, the person that doesn’t know between a trojan and a sniffer. Whether you call them average joes, consumers, citizens or the unwashed masses, these are people that cannot defend themselves. They are less capable than the corporations that struggle to defend themselves. This is not to say they are stupid or foolish, but they are sometimes ignorant and certainly the least trained to do so. The easy target that the average user represents is not lost on the criminal world who have repeatedly demonstrated an ability to compromise the security of millions of users for the purposes of generating tens of millions through fraudulent schemes.
The majority of the infosec community focuses on business and government, building the infosec equivalents of castles, not suprising given this is where the money and the jobs are. The only part of the infosec community that regularily focuses on the users are the anti-virus companies (and the occasional journalist). There’s an interesting dynamic in that the marketing campaign for anti-virus software has been sufficiently successful so that users believe this is all they need to be secure resulting in little willingness to consider there is more they could or should be doing. Then there’s the whole password problem where short dictionary words reign supreme but let’s not digress.
There are many tools, be they process or technology, to help defend against hackers and other threats but most of them will never make it into the hands of the common user. There are exciting technology companies out there that provide powerful security solutions to the enterprise but it will be a long time, if ever, before their technology is made available for defending the users of the world. Unfortunately, the average user needs that technology now but it will come too late for them in the never ending arms race that is security. User awareness isn’t the answer, not because users can’t be taught but rather you can’t teach a user to differentiate between a safe file and a dangerous file without turning them into a security professional and they’ve already got day jobs. More importantly, security aware users can only operate at the user interface level, any security events that happen at the network level or deep inside the system won’t be prevented by even the best user education.
Fortunately, there is an existing application of technology that is addressing the problem or more precisely demonstrating a technological method for handling the problem. The best technology demonstrator of this method is probably the one a third of you are holding in your hand right now, an iOS device. The technological methods that the iOS devices demonstrate are a fully sandboxed applications, signed code and a closed ecosystem. Chief among these are application sand boxing and the closed ecosystem radically reducing the chances that something bad can get loaded onto the platform and if something should get on, it’s contained. To the seasoned professional this looks a lot like defence in depth and that’s because it is. Say what you will about Apple controlling the user experience, there’s definitely a good outcome from a security perspective even if it represents a monoculture.
This is not to suggest that we all switch over to the white earbuds and artful commercials of the Apple devout, but rather use these methods to find a way to protect users that cannot defend themselves. We know that application whitelisting, system hardening and non-permissive firewalls (that is, not the one’s from Best Buy) are great tools in securing the enterprise so why not apply this concept of restriction to every user on the planet? Yes, we’ll need to take away access and we’ll certainly have to educate users on why these restrictions are good. Some of the same restrictions we place on users in the corporate environment to protect company data would help protect home users. I’m not proposing that we block access of some thinly veiled censorship scheme. This isn’t a restriction of free speech any more than making a condom the default for sex until you know your partner is safe. The introduction of condoms as part of sex education programs had a major impact on both AIDS and unplanned pregnancies. Nobody said having sex is a bad idea, just do it safely. Likewise, having unprotected access to the Internet is something you should avoid until you know the Internet is safe (so functionally never). Mandatory security patching is not too dissimilar from the notion of vacination programs; making users safe whether they want it or not is way easier and less painful that immunizing school kids by class load.
What we, as an industry, need is user centric security solutions that go beyond the anti-x bundles, VPNs for hiding copyright infringement and desktop firewalls. A solution for protecting users would have the following attributes:
- Centralized operating system management – Integrating user computers into a centralized management platform would allow for mandatory patching and application whitelisting;
- Mediated Internet access – whether it’s a centrally managed desktop firewall solution or VPN like implementation providing security filtering and other content inspection services;
- Centralised automated monitoring – collecting file hashes and other system data would allow for establishing a herd immunity by detecting unusual behaviours across the entire user population;
- A safe application store – a place to download (and automatically update) applications that are free of malware and known security defects.
All of these capabilities exist already but in different and disparate deployments. These combined capabilities would need to be wrapped in a simple user interface and a price point low enough to make it a simple buy. Of course, there’s still the problem of convincing users as to why exactly they should want to buy something like this which means first unwrapping the anti-x industries death grip from around the throat of the Internet, the New York Times certainly helped a little bit on that front.
We need user focused solutions like this to help protect users on the internet. Even if we can perfectly secure the enterprise environment, all the e-commerce sites and all the social networks, does it matter if all our customers and all our users face the unmitigated risk of being compromised? The fact that criminals can’t break into your servers becomes irrelevant because they already have the accounts for thousands of your users. Online crime has already shown it is moving downmarket to small businesses; consumers are increasingly viable targets thanks to automated crimeware that allows for low cost scaling. Winning the enterprise battle while ignoring the world is seeding the ground for more problems.
There’s certainly an epidemic of “blame the customer” thinking amongst security folks when it comes to tools that are supposed to be used by actual human beings, i.e. non-geeks (discussed here: http://z.wrinko.net/10kRvlW). Which is basically pathetic, because it means we’re just not providing tools that actually do the job of keeping people secure. Instead, we’re blaming everything other than the piss-poor tools we (as a security industry) create and market.
Creating and marketing real security tools for non-geeks is non-trivially challenging. Such tools need to both deliver real security improvements, and not be such a pain in the ass that “users” (such a derogatory term) deinstall or otherwise route around them. And unlike in corporate sales environments, there’s no purchasing manager or CIO to butter up and convince to force a clunky tool down the throats of his or her minions. In “consumerland,” bad security tools are tossed aside at once. There’s no room for crap.
The thing is, all the underlying technologies to deliver these non-geek security tools are already there and well-developed. This isn’t a question of reinventing the proverbial wheel. Rather, it’s mounting pre-existing wheels on a new chassis. But even with that being the case, there are so desperately few folks doing a good job of it, eh? One need only look at the utter meltdown of the anvirirus sector – where the tool has become nearly as bad as the threat it was designed to fight – to see how bad things are. Personally, I approach Norton as malware and remove it from local machines accordingly: it certainly qualifies as a form of ransomware.
No wonder “users” are skeptical of security tools – the ones that have been crammed down their throats are awful. Or worse.
On the flipside, there’s enormous – almost unlimited – market upside for security companies that make security tools for non-geeks that work, and aren’t a pain in the ass to use. Anyone who does that basically need not market at all: customers will flock to the doorstep. Actually implementing such solutions isn’t easy, but the payoff is enormous – and that’s not even counting the societal benefits of keeping folks secure online so they can go about their lives more fully.
Lest we forget, the biggest security threats online when it comes to normal folks isn’t “hackers” or “criminals” or “identity thieves.” It’s mass surveillance by governmental agencies run amok. Until we, as a security industry, deliver tools that protect people from that massive, world-impacting threat we won’t have the credibility to call ourselves anything but petty window dressing.
Imho.