Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

2/13/2007
04:55 AM
50%
50%

Licensed to Surf

Users who don't use the Web safely are a danger to others on the Internet. Is it time to force surfers to carry a license?

2:55 PM -- In the United States today, individuals are required to get a license to drive a car, run a business, or own a gun. They're also required to get a license for far less risky activities, including owning a dog, selling t-shirts in a public place, or going crabbing.

(Yes, I said crabbing. You tie a chicken neck to a string, throw it in the water, and wait for a crab. To me, it doesn't seem that dangerous. But then, I'm not a crab.)

Here in the world of IT security, we're all agreed that end users, God bless 'em, are the weakest link in any chain. It's end users who fall for phishing attacks and click on worm-infested spam. It's end users who leave their wireless connections open and lose laptops containing thousands of customer names. It's end users who forget to update their security software, becoming unwitting participants in botnets and other online scams.

These practices are unsafe, and they endanger the personal data and identities of other users on the Internet. The people who engage in such practices are at least as dangerous as an unlicensed t-shirt vendor. Shouldn't we require users to get a license before they can surf the Web?

A few of our experts at last week's Dark Reading roundtable raised this idea, and I think it bears some consideration. (See Getting Users Fixed.)

OK, it sounds a bit crazy, but when you think about it, it's not all that far-fetched. Most companies already require their employees to complete some sort of computer security training -- or at least sign a copy of the company security policy -- before they log on. What if ISPs had a similar requirement?

And with the concept of network access control becoming more popular, many companies are also saying they will not allow computers on their networks unless they have been safely configured. What if all computers, including consumer PCs and wireless devices, had to prove such safety before they could be issued an IP address?

Now, I'm not saying that the concept of licensing Internet users is workable, or even realistic. Clearly, the administration of such licensing would be a nightmare, and there would be many ways to circumvent it. And of course, anything done in the U.S. would be of very limited value unless other countries followed suit.

But the fact is, most Internet users aren't well trained in security. Even those who are security-savvy often don't practice safe surfing because they simply don't see any consequences to their behavior. You can't get kicked off the Internet, nor are there any penalties for promulgating spam or playing part in a botnet. So most users don't take the time to learn how to avoid any of those things.

Until users become more accountable for their actions, they will continue to be the weakest link in the security chain. And, like unlicensed drivers -- or at least, crabbers -- they'll continue to be a threat to those around them.

— Tim Wilson, Site Editor, Dark Reading

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
A Startup With NSA Roots Wants Silently Disarming Cyberattacks on the Wire to Become the Norm
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/11/2021
Edge-DRsplash-10-edge-articles
Cybersecurity: What Is Truly Essential?
Joshua Goldfarb, Director of Product Management at F5,  5/12/2021
Commentary
3 Cybersecurity Myths to Bust
Etay Maor, Sr. Director Security Strategy at Cato Networks,  5/11/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-18178
PUBLISHED: 2021-05-18
Path Traversal in HongCMS v4.0.0 allows remote attackers to view, edit, and delete arbitrary files via a crafted POST request to the component "/hcms/admin/index.php/language/ajax."
CVE-2020-20214
PUBLISHED: 2021-05-18
Mikrotik RouterOs 6.44.6 (long-term tree) suffers from an assertion failure vulnerability in the btest process. An authenticated remote attacker can cause a Denial of Service due to an assertion failure via a crafted packet.
CVE-2020-20222
PUBLISHED: 2021-05-18
Mikrotik RouterOs 6.44.6 (long-term tree) suffers from a memory corruption vulnerability in the /nova/bin/sniffer process. An authenticated remote attacker can cause a Denial of Service (NULL pointer dereference).
CVE-2020-20236
PUBLISHED: 2021-05-18
Mikrotik RouterOs 6.46.3 (stable tree) suffers from a memory corruption vulnerability in the /nova/bin/sniffer process. An authenticated remote attacker can cause a Denial of Service due to improper memory access.
CVE-2020-20237
PUBLISHED: 2021-05-18
Mikrotik RouterOs 6.46.3 (stable tree) suffers from a memory corruption vulnerability in the /nova/bin/sniffer process. An authenticated remote attacker can cause a Denial of Service due to improper memory access.