news / tech talk

Securing Users

by Lee LeClair
12/14/2007
As seen in Inside Tucson Business

As someone who knows about something about computers, I am often enlisted for family-oriented projects that include getting someone’s wireless network setup, figuring out how to get Aunt Edna on the Internet inexpensively, and frequently cleaning up someone’s “broken” PC. If it is not too time consuming, I understand this role and do it without too much fuss though I often wonder how average folk get by in the world without knowing much about how their computers work.

As a computer security consultant who works in private industry and for the Department of Defense, it sometimes seems amazing to me that huge botnets exist and grow; after all, they are ultimately composed of compromised home and business PCs around the world. How could so many people allow their systems to be compromised? My fellow computer literate co-workers never let this happen at work but my experience with family answers this question readily enough. The vast majority of computer users are not computer experts. They surf the web but have no idea how it works or what is happening to make it work beyond the minimum they need to know. Even relatively savvy kids that pick things up quickly are prone to this.

For all of my “civilian” family and friends, anti-virus software often exists but is typically expired (60 trial that came with the PC), not up-to-date (do I have to DO something?), or has not been run since I was last there. It is worse for anti-spyware tools I may have installed. And all these measures do not stop stupidity from striking when an interesting pop-up appears promising much if you agree to load the attached software. So, when I take a look at a 13 year old male nephew’s computer to see why it “stopped working” and quickly determine that it has been completely subverted by spyware and Trojans, I understand why. The computer is in his room. He has discovered porn and will click on whatever he feels he needs to in order to view more porn; hence the infected computer, and a low likelihood that I can do anything to deter these actions in the future.

It is bad enough for home systems where the impacts can be identity theft, fraudulent credit card purchases, or just use of the system in a denial-of-service attack on some other network. In corporate environments, it is worse due to the high value of corporate data and reputation. Unfortunately, in spite of firewalls, centrally controlled anti-virus scans, intrusion detection systems, etc., the problem is most often PBKAC (Problem Between the Keyboard and the Chair) according to security research from Symantec, the largest anti-virus company. Most people typically have enough privilege but not enough sense to voluntarily bring harm upon their own computers by their actions. In our free society, people in the workplace expect that they can go wherever they want and often download what they should not on their business computers. Thus, they inadvertently compromise their own systems and networks. A recent article by renowned computer security gurus Bruce Schneier and Marcus Ranum discusses this type of weakness both in user judgment and societal computer privileges in a conversation about the computer security in ten years time.

Steps users and business owners can take to improve their own posture include restricting browser and system permissions or something more interesting like only allowing users access to the Internet through a Virtual Machine image or appliance such as VMWare’s free player. That way, only the VM is ever affected and the VM can be reset back to a known good state. Stay safe!

Lee Le Clair is the CTO at Ephibian. His Tech Talk column appears the third week of each month in Inside Tucson Business