Security Awareness and Why Things Aren’t Improving

Earlier this week news broke of Google’s interruption of a large-scale phishing expedition, which alluded to some state involvement of China. This inspired a host of experts to write about it and J Oquendo’s article on InfoSecIsland inspired me to write mine. In his article mr. Oquendo asserts that its remarkable (read: stupid) that US officials still seem to be using commercial email services such as GMail for exchange of security sensitive and sometimes mission-critical information, instead of using the available high-security services offered by the US Government that they should be using. In this day and age, with a nearly constant barrage of security breaches in the news, people don’t seem to be getting any more aware of security issues.

In the area of User Security Awareness, things aren’t improving at the pace they should. The Internet (and related technology) is not New anymore. While the usage of internet technology has grown exponentially over the last decade, its users have not grown much wiser in terms of security. Largely this is because the common online populace simply does not see the danger in having their online identities compromised; its too abstract a notion for most people. Until the very real and practical downside of getting compromised hits them on the nose, they won’t care. There is a whole industry revolving around protecting you and recovering you from identity theft, and that is both a blessing and a warning. The many problems a person can experience from being a victim of Identity Fraud can take years to resolve. Years during which you are most likely to have bad credit (even when the bank knows you’ve been victimized!) or even be in debt for thousands of dollars for purchases you have never made. Living through such an experience is probably a real eye-opener, but we can hardly put everyone through such an ordeal just for security’s sake.

Provided all your friends would actually listen to sage advice, what would you even tell them? The answer to that question gets harder every year, because criminals get craftier all the time. A few years ago, you could tell your friends not to open attachments from people they don’t know and they’d be safe. These days you’ll receive your dose of malware from people you do know, packed in emails that look increasingly like something they could actually have sent you. Even in my native language (Dutch) every year more malicious email finds its way to my inbox. The first few were poorly written, the authors probably used basic online translation software, but this too is changing. Soon you won’t be able to distinguish malware based solely on poor grammar anymore. Regardless, delivery by email is hardly the biggest problem these days. What about drive-by-infections on the web? All you have to do is do a Google search on images and you can get infected just by looking at the results because the malware is embedded in the images you see. No longer can you stay safe by just staying away from ‘bad online neighbourhoods’ because online crime has long since made its way to cyber-suburbia.

The solution to our security problems will have to come from a variety of efforts. Firstly user education is obviously very important and should start at the earliest opportunity. Educating kids in school is probably a good idea, but we have to make sure that their learning material is updated constantly or the effect will be minimal. I see a strong role here for Governments, with help from the corporate world such as Microsoft, Cisco or McAfee to name but a few. A second angle is security enforcement in software products and online services. To use Google as an example once again: You can now choose to use two-factor logins rather than a simple password. This would seriously reduce the success of several angles of attack such as brute-forcing or phishing, but at the cost of being slightly more inconvenient to the users. It is my opinion that we should accept this inconvenience sooner rather than later, because the damage of not doing so is simply too great. Another good example is Microsoft Windows’ use of local Administrator rights; I believe that they should find ways to copy the Linux security model so as to lessen the attack surface for malware.

Thirdly, I believe that more efforts should be made to lessen the incentive to commit cybercrime. Currently this type of crime is far too lucrative and the risk of getting caught are absolutely minimal. And its easy to learn! An especially important effort here is for the banks that offer Credit Card services (Mastercard, Visa, American Express etc). The credit card system is insecure by design and this should be changed. What is most frustrating is that the credit card companies have long since assessed the situation and have found the answers. However, the cost of implementing the necessary changes is considerable and do not actually increase profit for the banks. This is why they do not get implemented. By making banks responsible for returning stolen money (think fraudulent credit card charges) to fraud victims, it was hoped that banks would be forced to make changes. What it actually did was move the damage from the consumer to the retailer because the banks would simply revoke payments to the retailers, in the end barely touching the bottom line of the banks. Status quo was returned and criminals are still getting their loot.

A fourth angle ties into lessening the incentive: increase the chance of getting caught when committing cybercrime. Several nations have stiffened sentences for cybercrime, but studies show that sentencing barely reduces crime rates. What does affect crime rates is the chance of being caught. This is especially true in such a cross-border legal nightmare as cybercrime, where international borders mean nothing and everything depends on nations working together to fight the crime syndicates. Luckily, more and more cooperation is seen on this front. Virtually every conference on cyber security will host speakers of law enforcement to regale you with their international successes, and this is a good thing! Give these people the limelight so that they have more incentive to continue. Kudos, after all, are often a currency on their own.

There are probably many more methods to increase cyber security. The trick is not only to find them, but to implement them. Our future online security will depend on bold men taking action – not on bending to inconvenience.