RSnake has a good post on DarkReading called The Internet's Original Sin. His point, as I see it, is that we are trying to use the internet for secure transactions yet it was never intended for secure transactions. The "original sin" is that it was not conceived with security in mind. We keep throwing new technology at it to make it secure, but the underlying framework is still insecure.
This is another reason that we need to work to ensure that end users are educated on how to surf the internet securely. There is little chance that we will ever make the internet, or networks in general, fully secure so we have to teach people how to be careful and pay attention to what they are doing.
I've been participating in an email thread where we were talking about being aware of what is going on around you. We have been sharing ideas and tips on how to live more securely in the physical world. We will never live in a world that guarantees safety so we have to be aware of possible dangers. Same applies to the cyber world. You have to pay attention to where you how, how you are getting there and what you are doing when you are there.
When you drive into a part of town that has known dangers you lock you doors, roll up your windows and pay very close attention to your surroundings. Following the same guidelines on the internet will help keep you safe. If you find yourself on a site in the seedier part of the internet you have to do similar things. The best thing is to get out of there as quickly as possible.
Have you ever stopped to ask for directions and later discovered that the person intentionally sent you somewhere else? It's happened to me so now I'm more careful when I ask for directions. Same principal holds true when clicking on links from unknown sources. Don't do it until you are sure it is going to take you where you want to go.
I could give lots of other comparisons, but I think you get the point. People learn to live safely and securely in the physical world because they spend their time there and they interact with others who help them develop their "spidey senses". Now the challenge is to help everyone develop their "cyber senses". Those who have the "gift" need to share it with others.
Security's Everyman
Wednesday, March 07, 2007
Securing the Insecure
Posted by Andy, ITGuy at 6:31 AM
Labels: Andy ITGuy, information security, RSnake, security awareness
Subscribe to:
Post Comments (Atom)
1 comment:
I like your analogy there. It is an odd little side-thought of mine about how we so often see media, mgmt, and even security professionals clamoring for absolute security. Even if they "get" that security is not a state but a product, they still strive for it.
But, like physical security in the real world full of human beings, there is no absolute security. There will always be some sort of breakdown. We don't manage and create our law enforcement units and agencies under the premise that we will eradicate all insecurity and crime. That last 20% is just nearly impossible without a really totalitarian state.
We do have to be aware of our surroundings and what is going on in the Internet.
RSnake's principle is similar to individual protocols too, like SMTP. It wasn't meant to be secure, but we keep trying to tack security on top of it.
Ramble, ramble... :)
Post a Comment