Original URL: http://www.theregister.co.uk/2005/07/06/security_blame/
Security meltdown: who's to blame?
We all are, naturally
If there's one thing the security industry is really good at, it's pointing fingers. We all like to say that "security starts with you", so that everyone can share a piece of the mud pie. While we're pointing fingers, let's look at a few groups and individuals and see how they can share the blame for their own insecurity - and prevent the spread of viruses, Trojans and worms.
Individuals and small businesses share the blame
In this instant-on, instantly-available world, the best thing many people at home can do (besides ignoring the next virus received in their email) is to simply turn their computers off when not in use. It sounds oversimplified, but it works.
Years ago, about ten thousand people asked me if they should turn off their computers at night, or keep them running. I made the mistake of telling them that I never turn off my machines - but then, I run half a dozen Unix-like servers spread across several countries. After friends, family and one computer-touting unemployed man on the street have effectively been online 24/7 and infected with worms, I regret to admit that I was wrong. Power up your computer, check your email, surf those nefarious websites that you love, and then power down. Disconnect gently from the network.
Left to its own meanderings, your Windows computer is not to be trusted. Don't do any online banking unless you have a router, a firewall, the latest anti-virus, the latest Windows patches, the latest Windows OS, three anti-spyware applications, and you fully understand what "phishing" means. If you don't know what these are, what you're doing or how to properly configure, secure and operate your own server, turn your computer off. Or buy a Mac or Linux desktop and slip under the radar.
There are always people who should have their Ethernet cables cut with a pair of scissors when they purposely seek out spam, download accelerators, useless toolbars, porn, warez, serialz, make-money-fast schemes and such... they contribute greatly to the botnets and spamnets of the world, but that's another story for another day. Just because someone can afford a fast computer and a broadband connection, it doesn't mean he has any idea what he's doing - like the guy who can afford a Ferrari and then slams into the back of a bus.
Small businesses and non-profit organizations can do wonderful things to secure their networks from viruses and worms. I signed up at the YMCA gym the other day, and noticed that they store my credit card information in their computers. I glanced over and saw a DOS-like screen, and gave out a huge sigh of relief. The technology they use predates the web by about ten years, so the odds of them having Internet access at this gym are slim-to-none. Excellent. The only way into those computers, then, is to arm-wrestle my personal trainer during business hours and get physical access to the machine. For the sake of security, sometimes retro technology that's disconnected from the network is best. Of course they could be running Windows 3.11 and have TCP/IP, but it seems unlikely.
ISPs share the blame
It's not realistic to expect most people to disconnect from the internet - after all, what on earth were computers used for before the web? Many people are not sure. Business things. Spreadsheets and word processing, oh and games too. If the internet is now ubiquitous and owned by nobody, then it's the ISPs who should play a major role in securing their chunk of the network.
Many major ISPs have taken the first baby steps. They analyze their DNS logs and automatically cut off subscribers making too many bad requests. They use NetFlow to monitor traffic patterns at their routers, and cut off the worst offenders who are saturating bandwidth. They block incoming TCP ports 25 and 80, in a well-intentioned but fruitless effort to stop spam - without realizing that most Trojans open up their SMTP spam engines on entirely different ports. Some even do network scanning of their customers to cut off or warn those who are already compromised, owned up, or otherwise greatly at risk. But ISP security is spotty at best, it varies from provider-to-provider, and it's done purely in their own self-interest and not out of the interest for their customers. Worst of all, the likelihood of cutting off legitimate customers who know what they're doing seems just as high as catching Aunt Margaret's compromised spam gateway machine.
Major companies share the blame
Many large corporations and enterprises are only marginally more secure than the average home user, due largely to their insecure desktop machines. While it's difficult to fault the IT staff of an enterprise when Bob in Accounting clicks on a zip file, puts in the provided password, and unleashes the latest Trojan sent to him, there's enough blame to go around for everyone. Odds are pretty good that the corporation is still standardized on Windows 2000, which is almost at its end-of-life. There's also a good chance of finding many machines in the enterprise still running Windows 98 or 95. Trust me, they're everywhere. Having spent many years in software sales, I can say without a doubt that many organizations are far, far behind the desktop technology curve compared to most home users.
Does Bob in Accounting really need internet access? Does Jim in Finance really need to surf the web? The most secure computer is a disconnected one; in light of security, IT managers need to push back on departments and users and limit those business users to just those who really need access to the internet.
Criminal hackers are to blame
The criminals who create, modify and distribute viruses, Trojans and worms are the source of many of the security problems on the internet, and they know it. It may have started as a game, but now it's a business that is starting to bring in big profits through phishing, botnets, DDoS threats, extortion, and so on. The criminals would deserve all the blame if it weren't for human nature to want to destroy things that other people have built. They would deserve all the blame if they thought for a minute about the impact their creations might have on millions of people. They would deserve all the blame if it weren't so incredibly easy to just slightly modify a piece of publicly-available virus code and release it to the world, and then be guaranteed that a few hundred thousand people will click on it before the latest A/V signature is even available. They would deserve all the blame if it wasn't so darn easy to convince a user to click on the attached picture: "it's one of Angelina Jolie and she's nude," pretty much guarantees success.
Criminal hackers might deserve most of the blame, but they're also a check and balance to all those insecure systems out there. And they're not going away. The few who get caught may maintain that they're doing a good thing for society, much the way a terrorist or a religious fundamentalist believes he is following a righteous cause... but only a few of these criminals will ever get caught.
We share the blame
At SecurityFocus we provide Bugtraq and the vulnerability database, which is time-sensitive and useful information that is most often used to secure networks. When a reader discovers a newly vulnerable application or system, they must patch it, make it unavailable, or take it down. But any information can be used for nefarious purposes too, and exploit code or information on exploiting new vulnerabilities can be just one step away from a new virus. If we did not provide the forum for vulnerability discussion and management, it would continue to be provided somewhere else.
OS vendors and application providers, well...
The biggest groups who need to share the blame are the OS and application vendors, and you know who they are. They're selling you licenses and maintenance contracts so they always have your business and you always own the newest version of their software - but more often, your organization has a version installed that's two full releases old.
For vendors to share the blame for viruses and worms, there must be an admittance of guilt, an acknowledgement of bloatware, poor programming practices and a general lack of regard for all things secure - they must take ownership of the monsters that they have created, particularly on the desktop. But it will never happen, and they'll never share the blame. While the OpenBSD style of dumbed-down, simplified and secure systems (with a heavily audited code base) that just plain work might be one of the smartest approaches to security, almost every other vendor is progressing in the exact opposite direction. Bigger, better, slower and less secure. And for that, these vendors share the blame but with one important difference: they do so while wearing blindfolds, forced to provide more and better features in newer and more bloated versions, while stumbling forward into the realm of new product sales instead of security.
We all must share the blame for a lack of progress in the security industry. It's great fun to point fingers at each other while the criminals keep their heads down and continue to work. If we continue to point fingers at each other, rest assured we'll get nothing done.
Kelly Martin has been working with networks and security since 1986, and is currently the chief editor for Symantec's independent online magazine, SecurityFocus.