Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Getting Users Fixed

Dark Reading roundtable addresses the value of end-user security training - or lack thereof

Dark Reading’s editorial advisory board held a meeting at last week’s RSA Conference in San Francisco, bringing together security experts from several different walks of life. During the meeting, hackers, industry analysts, and enterprise security people discussed some of the chief problems facing security managers today, and their views on the industry’s greatest obstacles. The following are excerpts from that conversation.

Botnets are the chief exploit facing IT managers today, according to Ira Winkler, security expert and author of Spies Among Us.

"Botnets are screwing everything up. They are the source of the attacks that crashed the DNS servers [last week], they are the source of spam, denial of service attacks, and every other malicious attack. They are a hell of a driver for the [security] industry, but they are the last thing we need. And nobody wants to take responsibility for them, from law enforcement down to the average user."

Internet service providers should play a greater role in stopping botnets, Winkler suggests. "If they want to profit from the Internet, they should be responsible for at least noting that 70,000 ACK messages from grandma might not actually be her data. Some people say we should blame the user, but how can we do that? Others say we should blame the criminals, but we already have laws on the books for that, and it’s not doing any good."

The industry should develop ways to make end users more responsible for the damage they cause, Winkler says. "After they’ve clicked on that phishing link for the fifteenth time, maybe we should blame them and take their computer away."

Rob Enderle, principal analyst at the Enderle Group, agrees. "People like that are the big problem right now. They’re not part of the solution, so they’re a major part of the problem. Everything we’re doing right now as security people is trying to mitigate the fact that people are stupid. The only way to fix that is to make people not be stupid."

Companies should make users accountable for their security knowledge, requiring them to get training and punishing them if they fail to meet that requirement, he suggests.

RSnake, a security researcher who founded ha.ckers.org and sla.ckers.org, disagrees. "I used to work for eBay, and we spent millions and millions and millions on user training,” he recalls. “The end result was it didn’t do any good."

The problem, notes Jordan Wiens, a security engineer at the University of Florida, is that the threat against users is always changing, which makes training difficult. "If it’s changing that fast, can you really train users in any meaningful way?"

Winkler says there needs to be accountability across the board. "If a user doesn’t have the latest software updates and hasn’t done the patches, the ISP should knock them off," he suggests. "They’re creating a hazard to everybody else by having a wide-open system. End users don’t have a right to the Internet, especially if they are behaving in an unsafe manner. The ISPs should be responsible for monitoring their users. Vendors should be responsible for their products. Law enforcement should be responsible for having enough resources to go out and catch the criminals."

It’s ironic that end users can be trained to drive a car -- which is significantly more complex and potentially dangerous than using a PC -- but they can’t learn how to recognize spam, Winkler observes. There should be greater training in schools, and perhaps users should actually have to be licensed to go on the Web, he adds.

Enderle agrees that end users who act irresponsibly should face tough consequences. "If eBay users act in an insecure fashion, suspend their memberships," he says. "When I was at IBM, we had a series of security problems and we couldn’t get over them. Finally, we said, 'If you make this mistake, you’re fired on the spot,'" he recalls. "The problem cleared up almost overnight -- we had to fire about fifteen people, but after that was over, people were following the policy."

RSnake pointed out that such an approach could be detrimental to business. "If you drop customers for being idiots, then you’re going to end up with a lot fewer customers."

But Enderle notes that fewer high-risk customers could also result in fewer problems, which results in lower costs.

The surest way to solve security problems is to take them out of the user’s hands, RSnake maintains. "SQL is a good example," he says. "We took that out of the developer’s hands, took it out of the user’s hands, and put it behind the firewall. Training, by itself, doesn’t work. In fact, phishers actually like training, because it makes users feel more confident that they know what they’re doing, when they really don’t."

"You can’t expect the user to have any input into the security equation -- it just doesn’t work," RSnake says. "It has to be taken out of the user’s hands and built into the browsers, into the ISPs that route the traffic, into the operating system that has to render the pages. When you take it out of the user’s hands, it’s suddenly far more scalable, easier to update, and easier to adapt."

But no single technology maker can solve the problem, either, RSnake says. "One person can’t flip the switch and make the Internet more secure," he observes. "It’s going to take a team effort of companies fixing browsers, fixing operating systems, fixing patch management issues. Firewalls need to be configured to prevent any-any [communication] on Port 80. There are all kinds of weird security measures that need to be taken to reduce the overall attack vector."

Most companies have yet to deploy Web application firewalls, for example. "Not that I think they do much good, but it’s something," RSnake says.

So what else can IT do to protect the company from the growing number of threats out there? "First, don’t let the local admin genie out of the bottle," says RSnake. Second, companies should try to separate internal Web sessions from public Internet sessions, either by forcing the browser to establish a new session or maybe even by forcing users to access the public Internet over a separate device, he advises.

IT people can also use tools to recognize when changes have been made to systems internally, Winkler says. "A tool like Qualys works pretty well for that."

Corporations should also be careful about allowing users to walk out of the building with laptops and USB drives, experts say. "I had one university client that experienced Slammer on a Friday, cleaned it up over a weekend, and on Monday it was all over the network again," Winkler recalls. "That’s because all the grad students brought it in on their laptops."

IT people should also remember that good security can yield a good return on investment, Winkler observes. "You’re reducing risk (and cost) when you eliminate software on users’ machines that they don’t need, like SQL Server or IIS," he notes. "If you cut spam and spyware, you’re cutting bandwidth costs. You don’t have to see it as overhead. There can be a real cost savings here."

— Tim Wilson, Site Editor, Dark Reading

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Take me to your BISO 
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-10
In YzmCMS 5.6, XSS was discovered in member/member_content/init.html via the SRC attribute of an IFRAME element because of using UEditor
PUBLISHED: 2021-05-10
In YzmCMS 5.6, stored XSS exists via the common/static/plugin/ueditor/ action parameter, which allows remote attackers to upload a swf file. The swf file can be injected with arbitrary web script or HTML.
PUBLISHED: 2021-05-10
Cross-site scripting (XSS) vulnerability in static/admin/js/kindeditor/plugins/multiimage/images/swfupload.swf in noneCms v1.3.0 allows remote attackers to inject arbitrary web script or HTML via the movieName parameter.
PUBLISHED: 2021-05-10
Cross-site scripting (XSS) vulnerability in admin/nav/add.html in noneCMS v1.3.0 allows remote authenticated attackers to inject arbitrary web script or HTML via the name parameter.
PUBLISHED: 2021-05-10
Cross-site scripting (XSS) vulnerability in admin/article/add.html in noneCMS v1.3.0 allows remote authenticated attackers to inject arbitrary web script or HTML via the name parameter.