Home isn't where security is

[InfoSec News <isn () c4i org>]

http://news.com.com/2010-1071-963614.html?tag=fd_nc_1

By Robert Lemos 
October 29, 2002, 4:00 AM PT

In 1944, the U.S. government kicked off the Smokey Bear campaign to
teach citizens how carelessness with smoldering matches could set off
raging forest fires.

Now the government is making another call to arms--this time to defend
cyberspace from intruders. The most recent draft of the Bush
administration's "National Strategy to Secure Cyberspace" plan calls
for users of the Internet to secure their own part of the worldwide
network.

Like the Smokey Bear campaign, this call to arms focuses on ordinary
people doing their part to put out the small fires before they can
turn into something big. It's an argument that resonates with computer
industry executives like Symantec CEO John Thompson, who argues that a
Smokey-like campaign could indeed help raise the awareness of citizens
and convince them to use firewalls and antivirus products to protect
their systems--product lines coincidentally supplied by Symantec.

But while such a campaign would obviously do wonders for Symantec's
quarterly profit statement, relying on home computer users for
national security just won't work. The simple reason is that home
users are (at best) unreliable.

Some still call tech support wondering why they can't connect to the
Internet because they didn't know to plug the computer into the wall.  
Others continue to blithely click on e-mail attachments, oblivious to
the torrents of media coverage about how this often leads to the
spread of computer viruses. One home user fell victim to an e-mail
scam, sending $2.1 million of her company's money to an account in the
Cayman Islands. (The FBI arrested her for embezzling funds.)

The experts are guilty of wrongheaded thinking in relying upon home
users to shore up the nation's security. Frankly, that's somebody
else's job. Home users are responsible for protecting their own
important data. But it's a dangerous illusion to believe they will
take better precautions after authorities ask them to upgrade their
cyberdefenses.

Two months ago, several security companies came under attack from
hackers armed with denial-of-service attack tools. Hundreds of
computers--most of them home PCs with broadband hookups--were ordered
to flood the companies' connections to the Internet with data. During
this kind of deluge, even professional security firms have trouble
keeping their connections unclogged.

"It is getting worse," said a consultant at one of the affected
companies who asked not to be identified. "It is absolutely getting
worse."

There's a lesson to be learned. The National Strategy plan makes no
bones about suggesting that each company secure its employees. It
should also require each Internet service provider to protect
cyberspace from home users.

There are simple technologies for doing this. Source egress
filtering--a technique for preventing users from sending data with a
false source address, useful in denial-of-service attacks--should be
the norm. Companies filter e-mail messages for any viruses and
disallow several types of executable attachments; ISPs (Internet
service providers) should do the same.

Dorothy Denning, a computer science professor at Georgetown University
and security expert, says the most likely outcome will be for home
users to find themselves picking up the tab. "Once you start
formalizing where we are going to put liability, the questions start
coming up (about) who's going to pay for it," she says. "And, almost
anywhere you put it, the costs are going to end up coming back to the
users."

Another unfair tax arrangement? Maybe. But would you feel better
relying on folks who still think e-mails from deposed Nigerian princes
are the real deal? I wouldn't.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.