Monday, October 29, 2007

About Computer Security & the Average Computer User

The fact of the matter is, "the average computer user could care less about computer security if everything seems to be working fine". Largely attributed to ignorance and their naive reliance on security software, a typical user would choose ease of usability over security. Adding to their ignorance are the people who market security products as "perfect solutions" or as the "silver bullet". Some of these so called "marketing geniuses" tend to claim unrealistic and ridiculous statements of how their product can protect users from every piece of malware out there, thus giving them a false sense of security.

Who is the average computer user?

Recently I had the chance to visit an older couple who complained of having trouble using their computer. Their computer was previously infected with malware, but has since been cleaned up by another so called "computer expert", essentially reinstalling the OS and wiping out their data. The couple mentioned that the person who cleaned up their computer did not give them an option of backing up personal information or data. It could be possible that the malware on their system had encrypted their data (ransom-ware). Because everything was installed from scratch and things changed around (probably a newer OS version, newer software updates, etc.) they could not find their way around since things did not "look", "feel", and were not "located in the same place" as before! They had a hard time comprehending the change, which is no surprise since they did not seem very computer literate. They simply could not figure out how to browse the internet now, or open, receive and send e-mail, which is what they mostly used their computer for. A quick look at their computer revealed that it was clean of any malware (as of now!) and they simply needed help with using it. So I had to go over with them a basic computer-101 course demonstrating how to open, read, send e-mail and how to browse the internet. During the course of this session I tried my best to explain to them some of the security implications of being logged on as a admin-user. I also explained the dangers of browsing the internet, opening spam messages, clicking on links and clicking the "yes" pop-up-box, etc., (obviously due to my inclination towards computer security). No wonder, they had a hard time comprehending or following the things I was telling them.

Security vs. Usability

The whole experience made me realize - the average computer user simply wants usability. Most people simply want to use the computer for their purpose, get the job done, and move on... Security? - they are either ignorant about it or just do not get it or just do not care as long as their computer seems to work fine...

Where does this place the average user? - An easy target for identity and personal information theft.

Where does this place the malware author? - Easy money-making off of the average user especially due to todays' shift in intent to develop and deploy malware for monitory gain.

Where does this place the anti-malware community? - Fighting a loosing battle...

In my case of visiting the couple, they obviously did not know much about computer security and unfortunately these are the vast majority of computer users, who are un-wittingly contributing to the rise of a plethora of malware on the internet today. Such users are potential zombies or waiting to become part of a huge botnet spewing spam or unknowingly partaking in a DDoS (Distributed Denial of Service) attack. Sadly, it is only a matter of time when their computer will be compromised again and this time they may never ever know, even with the best of the breed of security solutions installed. This is because, by nature, security solutions are defensive, and all it takes is for that one "undetected" malware to get past through due to that "one click". It is just like a typical real world virus that attacks the human body. The doctors cannot come up with a vaccination for it until first a few people get sick due to the virus. This leads to the awareness of the existence of the virus in the first place and then the doctors are able to analyze it and come up with a vaccination for it. This vaccination will then protect all other human beings from that particular strain of virus if taken before hand. Same is the case with anti-malware software.

Given the well know fact about the trade-off between "ease of use" verses "depth of security", the average user is most inclined to choose "ease of use". Deeper security comes with a price - loss of the ease of use. A typical example of this is the innovativeness of growing Internet today. The growing technologies in the Web2.0 world that are banking on Java-Script, AJAX, IFrames, etc. in order to make life easier, render richer user experience, and to bring usability and abstraction. These technologies have been exploited since their inception by malware authors in order to deliver malware to benign users. One way of overcoming this is by giving up the usability features effectively cutting off malware delivery paths. For example: Using NoScript plugin extension with Firefox browser will not allow Java-Script or ActiveX content to run on a user machine, effectively blocking a wide range of malware exploits such as drive-by-downloads. But then, it comes with a price - loss of ease of usability. Some web-pages (even legitimate ones) will not function properly or up to their full potential, without Java-Script or ActiveX support in the web-browser. An analogy to this is the use of "condoms". With modern day education and marketing, more people use condoms today than years ago in order to protect themselves from Sexually Transmitted Diseases (STD). But still some people do not use condoms and are willing to take the risk for the sake of convenience, comfort and ease of usability. Similarly, in the case of computer security, most people would rather have all the good stuff and ease of usability while willing to take the risk by not having all security solutions "turned on". Having to maintain the newer and richer features of the Internet that are still susceptible to malware, pushes the limit of security software to come up with complex but efficient solutions that are good at providing complete protection while not hogging up the machines processing power and memory.

The crutch to computer security

The biggest hole, glitch or crutch to the world of computer security (anti-malware) is the average computer user.

There are three facets to an average computer user that I would like to mention here:

1. The user who knows or has vaguely heard about computer viruses and threats but just doesn't care. They are either not very interested in educating themselves about existing computer threats or are not too worried about it. They are the people who just do not want to be bothered with such things.

2. The user who just doesn't get it. Such a user usually does not know any better and lives in a world of "ignorance is bliss", thinking somehow they would never get infected with malware and there is no need to practice safe computer-usage habits or pay and maintain an updated security solution. An analogy to this is the typical human mind-set to think they can go and have all the sex they want and whomever they want and nothing will happen to them. These people are knowingly choosing to take the risk reasoning somehow in the possibility of all things they will not get a STD, which is obviously an unintelligent assumption.

3. The user who cares but naively relies on promised security solutions (usually a victim to hyped marketing) living under the assumption of complete protection.

A typical user perspective is - "if I have a security solution installed (such as an anti-virus software, a firewall, etc.), then I should be protected, right?" They tend to treat security software as perfect defenses. But what they fail to understand is that security software are not any better than other computer software and are far from being perfect. They are what they are - "software" - buggy, vulnerable and exploitable. There is no "silver bullet" and there are no "perfect solutions". But again, the average user is not entirely to blame for such a mind set. The so called "marketing geniuses" of security products have not done a good job either in educating the average user or providing them with facts. An analogy to this is "birth control pills". They help prevent a woman form getting pregnant but does not protect her from various STDs. While it is the doctor's responsibility in letting know the limitations of the pill to a patient, it is also the patients responsibility to ask and know about it themselves. It is sad to notice that in order to survive and stay in business, companies that sell/market security products as an add-on to their own products, aid the average computer user to remain ignorant by giving them a false sense of security. The average user believes and assumes that they have the best security product installed, and since they pay good money to keep it updated, they should be safe and protected at all times from all threats out there. This unfortunately is a naive assumption. I personally think that if people who market security products were to be more honest about their strengths and weaknesses it will actually get them a long ways and do greater good to users and the community as a whole, making the Internet a safer place to enjoy.

What needs to be done

The only way to overcome malware is by overcoming ignorance. Needless to say, the average computer user stands as the weakest link in maintaining computer security. Empowering the user with knowledge and education about computer security, instead of making them (totally) rely on security software to protect themselves, is the only way to gain an upper hand in the fight against malware. As it is rightly said "Knowledge is Power", and when this power is vested in the hands of the average computer user, they will make intelligent choices and employ safer practices in turn reducing the amount of malware traffic on the internet. Users should be taught to practice safer browsing habits, apply commonsense, and install "defense in depth" strategies. Here is a paper from VB2007 on user education for computer security and here you will find a learning guide for end-user education. Microsoft too has an online user education guide here and an anti-virus defense in depth guide here.

But again, people can only be taught if they are teachable, i.e. willing to be taught, and sadly, the fact of the matter remains that most people in general do not take computer security seriously. For most of them, it is not the need of the hour. They will only take it seriously when one day they wake up and realize that they are in deep trouble. Until then, the average user could care less about computer security. Although most of them obviously do care about personal privacy, they still fail to understand their role in protecting themselves from exposure. This type of attitude will only worsen the situation. This is because of the shift in intent of the malware authors who are now employing stealth techniques and tending to hide their malicious activity. They prey on unsuspecting users by committing identity theft, compromising accounts and personal information, with the use of stealthier techniques to accomplish their task. Hence, the average user who doesn't take computer security seriously will never know about their compromised status and will never really learn to avoid it or care to avoid it. They would reason - "well, everything seems to be working fine, I can still use my computer for music, movies, dating, games, e-mail, information-search, create a document, print, read the news, check the weather, buy stuff on-line, check my accounts, chat, etc. I have an anti-virus software, and it keeps me safe and good." This is purely naive thinking!! Because of the nature of malware on the Internet today, an infected user might not known about about their infected status for a long time to come. Even though everything might "seem" to be working fine on the outside, the malware has already carried out its malicious activity behind the scenes. The only way an infected user might know that they are actually infected is if the user had chosen to install and maintain a frequently updated anti-malware solution and if eventually their installed anti-malware software has detection and disinfection available for that particular piece of malware. But what people need to understand is that having such defenses and protection alone is not enough. They still need to use commonsense in order to avoid malware and infection.

Some of the safer computer-usage habits that need to be practiced are:

1. Not downloading or viewing attachments from unknown sources/senders.

2. Not opening e-mails or clicking on links embedded within e-mails from unknown sources/senders.

3. Using a safer browser such as the freely available FireFox browser with NoScript plugin installed.

4. Not logged on as an Administrator while browsing the Internet.

5. Maintaining fully updated security solutions (notice the plural).

6. Actually taking time to read what a certain pop-up message is about and making a intelligent (or at least a semi-intelligent) decision.

7. Not installing software you do not actually need or from unknown sources.

8. Keeping the system fully updated/patched by installing all released security updates by frequently checking for them.

9. Frequently checking for updates to your favorite application softwares.

10. Getting familiar with a process monitoring tool such as the freely available and very efficient Process Explorer that allows you to know the process name of each process running on your computer. It is a good practice to frequently check the process names on your computer and then use Google to verify that each process name is either a legitimate system process or belongs to a legitimate application.

11. Last but not the least, I would advocate completely avoiding browsing of porn websites because 90% of these websites host malware. Porn websites are the biggest source of malicious software and exploits. But no matter what I advocate about porn, I know most people will turn a deaf ear to me because statistics have shown that pornography in the biggest industry today (it is larger than the revenues of the top technology companies combined: Microsoft, Google, Amazon, eBay, Yahoo!, Apple, Netflix and EarthLink: stats are here) and is one that generates the most amount of traffic on the Internet today (you will find stats here). So even if you are "compelled" and "your arm twisted" to browse porn, please do so with caution and avoid downloading and installing any offered software from such type of websites (especially ActiveX components or browser plugins).

12. Educating yourself about the things I just mentioned above if you do not have a clue about what I am talking.

Nonetheless, having a security solution installed is highly recommended along with "defense in depth" strategies. It is always better to have some protection rather than nothing.

For what it is worth, some people will argue that end-user education does not solve the problem with today's malware. Their argument is it simply doesn't work. You will find some interesting articles here: link-1, link-2, link-3, link-4.

I personally think having some user education is better than no user education.

An interesting analogy of user education to automobile safety education can be found here.

A point and counter-point debate about user education: Point and Counter-Point.

Final thoughts

Until people take security seriously, the anti-malware industry is only fighting a loosing battle. For those few people who do take security seriously, regardless of what the marketing hype teaches them about security products, only their self interest in protecting themselves along with basic knowledge and practice of safer computer-usage habits can actually really protect them.

Digg This | Slashdot This | Add to del.icio.us

No comments: