BETTER EDUCATION? OR BETTER DESIGN?
Perhaps surprisingly, the panelists generally foresaw few lasting improvements in data security from better educating end users: the nature of the threats changed too fast.
LIPNER: We need to take the burden of sophisticated security education off the end user and get to the point where the technology is just helping the user be secure and you’re not imposing pop-up fatigue on users. Because it’s counterproductive., A lot of building secure systems is about the user experience. And I think that’s gotten short shrift across the industry.
SADLER: I don’t think we should be putting emphasis on education at all. I think it’s only education in extremely general terms that will last more than six months. You look at a lot of the education programs around the globe, and they’re very, very short term in what they’re telling people to do. Put in place the latest antivirus, that sort of thing. Who knows whether we’ll even be running antivirus programs in two years’ time or five years’ time or…
HEIM: I think there are some basic understandings that people still don’t have. Now if people really knew the consequences that if they install that free animated screensaver widget--that in essence they are saying, “I trust the developer of this little widget with complete access to my system and all my data.”--it might change the way people think. It might change the way people behave online. Nothing is really free, you know. I’ve asked folks to think about the economic models. You download something for free, why would that developer be sitting down and developing it? Yes, there are some open source models but there are also many cases of hidden business models that violate privacy and security of individuals.
DIFFIE: In discussions of the different meanings of the word “free,” you have the examples of “Free Beer!” and “Free Speech!,” to which somebody recently added—this is a wonderful one—“Free Puppy!” [LAUGHTER.] Some years ago my wife and I bought a dog. probably a thousand dollars up front. But it was a big dog. It didn’t fit in our car. So it’s another $30,000 for a van, and ultimately a million dollars for a house in Woodside, enough room for this dog to run, right? “Free Puppy!” is a very important principle when you’re getting free things. [LAUGHTER.]
SADLER: I think there is an answer, though. The answer is that you train young children, when they go out, to pay attention to the neighborhoods. “These neighborhoods are kind of safe; these are not safe.” The equivalent on the Internet now is, we walk out with our entire bank account into the most unsafe neighborhoods that we’re aware of. And then we’re surprised when we’re mugged. I think there has to be separation of concerns. You want people to be able to download the latest screensavers, but in a part of their environment where it doesn’t affect their bank account or it doesn’t affect the things that they care about.
ABHYANKAR: There has to be a means of communicating danger to the user in a way that does not require too much education. There needs to be a concept like, you know, you walk into a neighborhood and see a telltale sign that maybe something is not right. And so if you have that equivalent representation of safety and danger on the Internet, the end user is that much more aware of where the risks are or not.
DIFFIE: Yeah, but there’s an intrinsic loss of locality in the internet, right? Five-year-olds playing in a schoolyard in a certain sense have complete security. Basically, no adult can impersonate a five-year-old in a schoolyard. Whereas, in an online environment, lots of people can do impersonations. And that’s just the most extreme example of the fact that in the physical world, it’s not as easy to accidentally stray into unfamiliar, uncomfortable neighborhoods. Whereas, the virtue of the internet is that you’re a single click away from anything. Ninety percent of the time you’re profiting from that, and 10 percent of the time you’re complaining about it.
SHERSTOBITOFF: Attackers are starting to spoof that vector, too. They’re starting to attack legitimate sites that someone would trust. A couple of weeks ago hackers were able to put trojans on the Department of Homeland Security web site. So the principle that “if I stay away from the dark sides of the Internet, I’ll be safe” no longer works. Now it’s like, “you’d better watch out and have the necessary technology,” like patching.
HEIM: But when we’re dealing with large-scale infrastructures, you have to maintain principles of production-control discipline. You need to have the capability to be very reactive in terms of being able to rapidly apply new patches and to maintain the stability of your environment. And it’s not always clear-cut that if you apply a security patch, that you aren’t going to come crashing down. Sometimes very minor changes can have very significant impacts.
SHERSTOBITOFF: Yes, in most cases these attacks are exploiting already patched vulnerabilities. The hackers expect that a user wouldn’t have done due diligence; the average 80-year-old may not know that they need to do Windows Updates. We’re finding that these attacks have a higher success rate because there’s a good-size population of users who have had no antivirus for a long time. We’re talking about months and months and months. And they don’t realize the ramifications, that if they don’t do these basic housekeeping tasks, then they are at risk.
It’s a lot different from the corporate side, because the corporate side, as you said, has change control. And we don’t know for sure what a patch will do. But when we’re talking about the consumer side, the average exploit we’re seeing is something that we’ve already taken care of. That’s a trend, from internal stats that we’ve collected, they’re not always keeping their systems up to date or even taking the fundamental, necessary actions.
GILLILAND: And that gets us back to the conversation about training versus technology, right? There’s a lot of really cool new technology that does heuristic blocking and a bunch of other sophisticated stuff. But it’s not deployed widely enough, and not being used. I mean, there’s some space-age stuff that I’m sure Sun has and Microsoft has, that we have and you guys have, to be able to fight some of these battles.
But you need this stuff to be deployed fast enough, with scale, to be able to start to block attacks. And so there just has to be some balance between user education and innovation on our side to try to make as little education necessary as possible. I think that’s the beginning of what you said, Patrick, back when you were talking about how we need some sort of license for access or some sort of training.
I agree with Whit: there shouldn’t be some driver-licenselike government certificate for using the Internet. But why wouldn’t we have basic end-user education when you walk into a company? “Here’s your laptop, here’s your PDA, here’s your whatever. I’m going to teach you the security principles for Symantec.”
SADLER: And how long do you think those principles would last?
GILLILAND: Principles can last for a long time.
DIFFIE: It depends on what they are.
GILLILAND: “Don’t open email or don’t open attachments from people that you don’t know.”
DIFFIE: That’s a hopeless rule.
LIPNER: I think that’s absolutely correct. The only way you can address that is with underlying security and authentication. You give users a choice but they have to know there are classes of things that are safe, whether it’s web sites or attachments or executables. There are reputation services that allow people to decide whom to trust, and then the systems enforce the safety for them. If you tell a user, “You have to read the code, you have to interpret the SSL dialogue boxes,” that’s too hard. For Kaiser Permanente it’s fine. Patrick can build all that policy. But for end users, you have to provide an authenticated infrastructure that allows them to know whom they’re dealing with and whom they trust.
GILLILAND: End users will violate the trust, given the opportunity, without a certain amount of education, even if a warning pops up and says, “Warning: this site appears to be dangerous” but the site says, “Click here to see Britney Spears naked,” they will still do it. The most effective sort of virus dissemination is always social engineering. Always. You look at it over instant messaging; you look at it over email; it’s always social engineering.