AusCERT: Entrusting end-users an outdated idea
Ivan Krstic, co-author of the bestselling The Official Ubuntu Book, delivered a scathing keynote at AusCERT (Australia Computer Emergency Response Team) 2007 Monday claiming the tech industry has failed to address securing IT and that far too much still rests in the hands of uninformed end-users.
Delivering the opening address at Australia's premier IT security conference, Krstic said immediate action is required.
"We can fix it now or face another 10 years of empty vendor promises and lousy security products," he said. "We need to work less on sexy problems and focus on the hard ones that need to be solved."
Today's problems cannot be fixed, according to Krstic, with a 1970s security model.
"Everything you know about desktop security is wrong. Desktop security is about the user not protocols and algorithms," he said, adding that 75 percent of machines are infected with malware.
"Today, there are more than 100,000 known viruses, not to mention spam and phishing and that is because we rely on users to make choices about things they don't understand," he said.
To reinforce his point, Krstic showed how a user interprets a pop-up dialogue box that appears on their screen.
"To a user it simply says: 'Blah blah, technical terms, I don't understand, blah blah,'" he said.
"Then it will ask the user to press 'yes,' 'allow,' or 'permit.' Of course they will click on 'yes,' 'allow,' or 'permit' because it rewards them by letting them get back to work. We are training users to ignore security and rewarding them for it," Krstic explained.
"By leaving decisions to uninformed users it means IT security is an unbelievable mess and disaster. How did we get here?" he added.
Krstic said the assumption that every program runs with the permission of the user is a 35-year-old concept.
He said 35 years is equivalent to centuries in IT, adding that "we wouldn't go to war with sticks and stones."
"We run untrusted code every time we open a Web page. It is bizarre," he added.
Krstic went on to criticize the methods used to address these problems.
"Maintaining blacklists is one of the dumbest ideas in computer security; what's the point in keeping an up-to-date list of all the bad things, simply cataloging badness. That's a losing battle we cannot win," he said.
More than 1100 delegates are in attendance at AusCERT 2007 which is being held on the Gold Coast from May 21-25.
» posted by ITworld staff
Computerworld Australia
Symantec Backup Exec 12 and Backup Exec System Recovery 8 deliver industry leading Windows data protection and system recovery. Download this whitepaper to find out the top reasons to upgrade and how to get continuous data protection and complete system recovery.
Data and system loss — from a hard drive failure, malicious attack, natural disaster, or simple human error — can happen anytime. Don’t leave your business vulnerable. Make sure you have a secure recovery strategy in place. Symantec's latest backup and system recovery technology can efficiently restore critical applications, individual emails and documents and even restore your entire system in minutes in the event of a loss.
Businesses face a growing challenge to ensure that the IT environment is properly protected. Backup Exec 12 integrates with other applications in the Symantec family of products, to complement your current data protection strategy, keep your data securely backed up and make it recoverable when you need it most.
Crimeware: Understanding New Attacks and Defenses
By Markus Jakobsson, Zulfikar Ramzan
Published Apr 6, 2008 by Addison-Wesley Professional. Part of the Symantec Press series.
Enter now! | Official rules | Sample chapter
Securing VoIP Networks: Threats, Vulnerabilities, and Countermeasures
By Peter Thermos, Ari Takanen
Published Aug 1, 2007 by Addison-Wesley Professional.
Enter now! | Official rules | Sample chapter
