Getting Users FixedGetting Users Fixed

Dark Reading’s editorial advisory board held a meeting at last week’s RSA Conference in San Francisco, bringing together security experts from several different walks of life. During the meeting, hackers, industry analysts, and enterprise security people discussed some of the chief problems facing security managers today, and their views on the industry’s greatest obstacles. The following are excerpts from that conversation.

Botnets are the chief exploit facing IT managers today, according to Ira Winkler, security expert and author of Spies Among Us. "Botnets are screwing everything up. They are the source of the attacks that crashed the DNS servers [last week], they are the source of spam, denial of service attacks, and every other malicious attack. They are a hell of a driver for the [security] industry, but they are the last thing we need. And nobody wants to take responsibility for them, from law enforcement down to the average user." Internet service providers should play a greater role in stopping botnets, Winkler suggests. "If they want to profit from the Internet, they should be responsible for at least noting that 70,000 ACK messages from grandma might not actually be her data. Some people say we should blame the user, but how can we do that? Others say we should blame the criminals, but we already have laws on the books for that, and it’s not doing any good." The industry should develop ways to make end users more responsible for the damage they cause, Winkler says. "After they’ve clicked on that phishing link for the fifteenth time, maybe we should blame them and take their computer away." Rob Enderle, principal analyst at the Enderle Group, agrees. "People like that are the big problem right now. They’re not part of the solution, so they’re a major part of the problem. Everything we’re doing right now as security people is trying to mitigate the fact that people are stupid. The only way to fix that is to make people not be stupid." Companies should make users accountable for their security knowledge, requiring them to get training and punishing them if they fail to meet that requirement, he suggests. RSnake, a security researcher who founded ha.ckers.org and sla.ckers.org, disagrees. "I used to work for eBay, and we spent millions and millions and millions on user training,” he recalls. “The end result was it didn’t do any good." The problem, notes Jordan Wiens, a security engineer at the University of Florida, is that the threat against users is always changing, which makes training difficult. "If it’s changing that fast, can you really train users in any meaningful way?" Winkler says there needs to be accountability across the board. "If a user doesn’t have the latest software updates and hasn’t done the patches, the ISP should knock them off," he suggests. "They’re creating a hazard to everybody else by having a wide-open system. End users don’t have a right to the Internet, especially if they are behaving in an unsafe manner. The ISPs should be responsible for monitoring their users. Vendors should be responsible for their products. Law enforcement should be responsible for having enough resources to go out and catch the criminals." It’s ironic that end users can be trained to drive a car -- which is significantly more complex and potentially dangerous than using a PC -- but they can’t learn how to recognize spam, Winkler observes. There should be greater training in schools, and perhaps users should actually have to be licensed to go on the Web, he adds. Enderle agrees that end users who act irresponsibly should face tough consequences. "If eBay users act in an insecure fashion, suspend their memberships," he says. "When I was at IBM, we had a series of security problems and we couldn’t get over them. Finally, we said, 'If you make this mistake, you’re fired on the spot,'" he recalls. "The problem cleared up almost overnight -- we had to fire about fifteen people, but after that was over, people were following the policy." RSnake pointed out that such an approach could be detrimental to business. "If you drop customers for being idiots, then you’re going to end up with a lot fewer customers." But Enderle notes that fewer high-risk customers could also result in fewer problems, which results in lower costs. The surest way to solve security problems is to take them out of the user’s hands, RSnake maintains. "SQL is a good example," he says. "We took that out of the developer’s hands, took it out of the user’s hands, and put it behind the firewall. Training, by itself, doesn’t work. In fact, phishers actually like training, because it makes users feel more confident that they know what they’re doing, when they really don’t." "You can’t expect the user to have any input into the security equation -- it just doesn’t work," RSnake says. "It has to be taken out of the user’s hands and built into the browsers, into the ISPs that route the traffic, into the operating system that has to render the pages. When you take it out of the user’s hands, it’s suddenly far more scalable, easier to update, and easier to adapt." But no single technology maker can solve the problem, either, RSnake says. "One person can’t flip the switch and make the Internet more secure," he observes. "It’s going to take a team effort of companies fixing browsers, fixing operating systems, fixing patch management issues. Firewalls need to be configured to prevent any-any [communication] on Port 80. There are all kinds of weird security measures that need to be taken to reduce the overall attack vector." Most companies have yet to deploy Web application firewalls, for example. "Not that I think they do much good, but it’s something," RSnake says. So what else can IT do to protect the company from the growing number of threats out there? "First, don’t let the local admin genie out of the bottle," says RSnake. Second, companies should try to separate internal Web sessions from public Internet sessions, either by forcing the browser to establish a new session or maybe even by forcing users to access the public Internet over a separate device, he advises. IT people can also use tools to recognize when changes have been made to systems internally, Winkler says. "A tool like Qualys works pretty well for that." Corporations should also be careful about allowing users to walk out of the building with laptops and USB drives, experts say. "I had one university client that experienced Slammer on a Friday, cleaned it up over a weekend, and on Monday it was all over the network again," Winkler recalls. "That’s because all the grad students brought it in on their laptops." IT people should also remember that good security can yield a good return on investment, Winkler observes. "You’re reducing risk (and cost) when you eliminate software on users’ machines that they don’t need, like SQL Server or IIS," he notes. "If you cut spam and spyware, you’re cutting bandwidth costs. You don’t have to see it as overhead. There can be a real cost savings here." — Tim Wilson, Site Editor, Dark Reading