Security's Everyman

Security's Everyman

Tuesday, February 13, 2007

Is user training useless?

DarkReading.com has an article about a forum at RSA last week where they discussed some of the industries greatest obstacles. The 2 items that received the most attention were 2 of those that are near and dear to my heart. Root kits and User Awareness. I firmly believe that these are directly related. Getting a root kit is not hard, but in most cases it requires a user doing something that many would consider stupid or at the least unnecessary.

Much of the talk actually centered about repercussions for someone when things get out of hand. Either the end user for doing things that they shouldn't or the ISP for not taking enough precautions and preventive measures to deal with traffic that is obviously "odd". Well this time I'm going to side with the end user a little. They go out and by a PC or laptop and take it home to connect to the internet. In most cases they have DSL or Cable internet and they just want to hook it up and go. This is where the ISP or the modem manufacturer comes in. The DSL providers and modem manufacturers USUALLY have equipment that provides NATing and basic firewall features. Cable does not. When you hook up to a cable modem provided by most ISP's you are hooking up straight the the internet. You are given a public IP address and are fair game in the wild. Hackers will find you and take aim at you with all they have. Most PC's, especially those that are fresh out of the box, are not capable of handling this. They will fall victim to attack in a short period of time.

So why are we allowing the cable companies to do this? Why are we allowing Motorola (they manufacture a lot of the cable modems in use today) and other vendors to do this. If a Linksys can make a Cable modem that NAT's why can't Motorola? If the DSL providers can use equipment that uses NAT and has a basic firewall why can't the cable providers?

Many of the panelist mentioned consequences for those who practice bad security on a regular basis. Isn't an ISP that issues a public IP to a customer that didn't specifically request it practicing bad security? Having a vendor sell a wireless AP that is open by default is bad enough, but having an ISP give a public IP address by default is much worse in my opinion. At least an open access point isn't available to the WHOLE world a public IP is.

3 comments:

cdman83 said...

Hello. My opinion is that NAT isn't a security solution and shouldn't be used as such. You can read my detailed response at my blog: http://hype-free.blogspot.com/2007/02/distinguishing-real-and-non-real.html

Keep up the good blogging!

Andy, ITGuy said...

I agree NAT is not a security solution, but it is better than having your PC exposed to every hacker on the internet. I don't know anyone who would recommend putting your PC directly on the internet even with AV, a personal firewall and other "end point" security solutions. NAT isn't the answer, but it helps get you there.

Aaron said...

I too agree that NAT should not be viewed as a security solution. I've been working on a project where the "security" personnel view NAT as a security layer with some interesting discussions aroud that. On user training - users will always find an easier way to get things done, security is meaningless to users.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.