Table of Contents
- What Is Information Security?
- Common Body of Knowledge (CBK) Definitions
- A Functional Definition of Security
- Security Web Site Favorites
- The Complexity of Hacking
- The Ten Commandments of Information Security
- Evangelizing IT Security: Why is There a Need?
- Three Reasons Why Users Won't Buy Into Security
- What Should Security Look Like?
- Eight Controversial Myths of Personal Computer Security
- Web Application Security
- Operating System Security
- Network Security
- Hardening Your System
- Wireless Security
- Mobile Security
- Data Forensics
- Legal and Ethical Issues of Security
- Home User Security
- Job Security for the IT Security Industry
- A Biased Book Review: Chained Exploits: Advanced Hacking Attacks from Start to Finish
- Security of Mechanical Locks
- Information Security in Academics
- Holiday Security: Hackers Don’t Take Holidays
- Gary McGraw on Building Secure Software
- Gary McGraw on Exploiting Online Games
- A Student-Hacker Showdown at the Collegiate Cyber Defense Competition
- The Collegiate Cyber Defense Competition Year 3: Revenge of the Red Cell
- Questions from RSA 2007
- How to Steal 80,000 Identities in One Day
Evangelizing IT Security: Why is There a Need?
Last updated May 23, 2003.
Computer security remains a huge problem for the user community. Despite numerous warnings, massive virus outbreaks, and more, people are still finding themselves victimized by online attacks and scams. For years the security industry has been trying to solve this problem with products and solutions that just don’t seem to be working. The end result is that our users are just not getting the point — security should be part of the process, not an afterthought.
Given the obvious failure of the security industry’s ability to adequately change the end users behavior, the question has to be asked: What are we doing wrong? Why aren’t we having a significant impact? What can we do to more effectively get the message across?
This section is going to address these questions. First, we need to recognize that there is a problem. Once we do this, we can examine reasons why this problem exists. Next we can reexamine what our message should be to the end user and finally try to determine the most effective method for delivery.
Acknowledging the Problem
The security industry is having a tough time getting through to the typical user who has no desire or need to pay attention to the many lists, forums, blogs, and security sites that are there to inform the world about the latest and greatest issues. This is evident in the number of infections and growth of botnets over the last few years and in the very casual way that they deal with their own security. All one has to do is look at how users assume a USB stick is safe, regardless of the fact that they found it lying in a café.
However, the problem extends well beyond the typical home user. It has also become a serious problem in many of the IT industries career fields. For example, last year an employer posted a job notice for a web developer, and the following were the interviewer's comments:
“Last year, I was in a position where I needed to hire a handful of web developers and as part of my interview process, I asked each one to describe XSS, CSRF, and SQLi and the ways to mitigate them within a webapp. Out of the thirty or so interviewees, only one could describe SQLi, and no one could discuss XSS and CSRF. I got a lot of comments such as, "I've heard of that before, but I'm not sure exactly what it is." I had to shift my original hiring criteria (and expectations) and do training for all the new hires.”
The simple fact that web developers are not aware of the top three web application security threats that they must deal with indicates something is wrong — very wrong.
The Security Industries Problem
We can see that there is a disconnect between the user community and the security community. For as much as "we" try to convince the world that security matters and that it needs to be taken serious, the message is lost in translation. In this section we are going to examine some of the issues to get a better understanding of why our message isn’t being heard.
Security People Talk in Code
I recently read a story at a conference on communication:
- Once upon a time there was a Mook who lived in a Gak. Everyday the Mook and his Gak got up, left the Gak and went to the Forg with his Ning. When the Mook and the Ning got to the Forg, they looked around. The Forg was big and white with blue Frails along the wall. The Mook and the Ning usually hung out with the Tig, but today the Tig had left early and the Mook and the Ning went back to the Mook’s Gak.
So, here are a few simple questions: Where does the Mook live? What did the Mook take to the Forg? What was missing from the Forg?
These questions can easily be answered from the previous paragraph. However, what if you were asked to describe a Mook or Gak? Ironically, this is exactly what the security community does on a regular basis — including myself. The reality is that the typical user doesn’t know a firewall from a Mook, a VPN from a Gak, or spyware from a Tig. Yet, we (the security community) continue along in our ways, oblivious to the confusion we leave behind.
For example, we recently assisted a homeowner with the setup of a secure wireless network. Not only didn’t the user understand what a wireless network was, but they didn’t understand that their desktop upstairs needed a wireless network card in order to connect to the wireless access point one floor below. With this in mind, how would anyone expect them to understand how to secure the same network — even if they are given a manual filled with terms like 802.11b/g, WEP and WPA?
Security Issues are Dynamic
It is no secret that many people in the security community have a touch of ADHD (Attention –deficit hyperactivity disorder). While the condition might not be diagnosed for the majority, the skills and talents required by a security professional make having the ability to refocus quickly desirable.
Unfortunately, the same character traits of the individual have bled into the security community as a whole. For example, not two years ago, wireless security was the major focus, and for many, the only security issue that mattered. There was an explosion of books, article, proof of concept programs, and more related to the subject of wireless technology. Yet, within a one year time frame, the primary security issue became web application security. Again, we have books, articles, news groups and entire companies being created because of this issue.
How can the typical user keep up? In addition, with all the emphasis on the web applications, who is promoting wireless security?
Second, security issues are constantly evolving and becoming more complex. Again, take a look at wireless security. At first, the main problem was tied to the fact that wireless networks were insecure, so WEP was encouraged (briefly) to help prevent sniffing attacks. Next, WEP was found to be broken, so WPA was created to fill the gap between it and 802.11i (WPA2). Now that we have video cards and FPGAs that can make short work of all but the strongest passwords, the security community is promoting VPNs. And if this isn’t enough, your wireless connection can hijacked by someone with a big antenna and a copy of Karma. People in the security community can barely keep up. How can our users?
Next week we continue our look into the many ways that the security industry and community are failing in their efforts to promote security as a positive and valuable process. As we have already illustrated, we as a community assume a lot when interacting with the typical user. We would love your feedback on this series thus far, so feel free to send in your emails to firstname.lastname@example.org or post a comment!
Books and eBooks
Absolute Beginners Guide to Security, Spam, Spyware & Viruses — This book does a good job at breaking down the definitions to the person who doesn’t know the terms or problems they face as a computer user. It covers most everything, from the basics of "What is a Computer Virus" to the more technical, "How to Fix a Hacker Attack." (Read in Safari Books Online)
Know Your Enemy — The security community at times needs a little dose of their own reality, and this is what Know Your Enemy is all about. Specifically, it provides a hard look into the blackhat community that is always redefining their own rules of engagement and attack strategies.
InformIT Articles and Sample Chapters
Hackers: There’s a Man in My Machine — This sample chapter from the afore mentioned book (Absolute Beginners Guide to Security, Spam, Spyware & Viruses), starts by defining the term "hacker" in both the original term and media version. It goes from there and builds a clear picture of what hackers do and why they do it in terms that most people will understand. The reading is light and witty at times, but it does a fairly good job in describing who and what a "hacker" is.