NCSAM: The mental blocks of security

by Steve Ragan - Oct 1 2008, 11:09

National Cyber Security Awareness Month (NCSAM) kicks off with a look at the mental blocks that are found in security. This ongoing series will span the month of October, in support of the NCSAM initiative.

Security is a mindset. It is something that has to be implemented from inception when designing a Web page, application, or, on some levels, an entire business plan. However, one of the largest stopgaps is a mentality that “It won’t happen to me,” or “What I have on my computer isn’t important.”

Starting with the first mental block, namely “It won’t happen to me,” you can see this attitude invites trouble. The concept is that one can provide just enough security -- either through a Web page or in an application -- that is needed to prevent common attacks, and that should be “good enough.”

The problem is that common attacks are still exploited, while new and unknown attacks are all the rage in criminal communities.

Closed source and open-source applications are vulnerable here, as demonstrated with recent events. For instance, the recent DNS issue (discovered by Dan Kaminsky), the multitude of exploits that target Windows-based systems, or even the huge amount of trust placed in OS X, which, if not properly configured, can lead to problems -- these are all examples of how such a mentality can lead to chaos.

In each of the above examples, the security was overlooked, or traded away in favour of ease of use. Where it was overlooked was in the development cycle. This is clear with the DNS issue and the exploits that take advantage of Windows-based vulnerabilities. While security was traded off with OS X, the actual security is still there, but was disabled by default for ease of use for the consumer.

Adobe Systems, with PDF-based exploits or Flash-based exploits, can also fit in to the mix here.

The one positive thing for each of these issues is that, while added after the fact, security is a chief concern. Windows and OS X receive monthly patches and security updates. Adobe is constantly checking and re-checking code and fixing issues, and, thanks to Dan Kaminsky, DNS is on its way to being corrected -- even after the major vendors patched their respective DNS releases.

So what can you do to prevent the “It won’t happen to me” block? The process is straightforward: plan for security, and monitor security throughout the development cycle. Implementing processes to ensure security is pro-active instead of re-active will help in the long run.

The other block, which applies to most home users, is an evil one. “Hackers are not interested in what is on my computer,” some may say. “What I have on my computer does not need to be protected,” others will likely point out. “No one is interested in my office work, so why encrypt the disk?” they'll pose.

Each of these examples is real, and each is an honest thought for some people. The fact is that information is gold in the criminal economy. The more information a criminal can obtain, the more money they can make from it. While you may have bits and pieces of information stored on your computer or thumb drive, which you may see as useless to someone, a criminal will take those little bits of information and string them together to create a stronger, more profitable profile.

To prevent this from happening, use good anti-virus protection and a strong suite of security software. Constantly patch your operating system and other software on your computer, such as a the Web browser. Monitor the personal information you place about yourself online. Personal information, even in “private” profiles, can leak onto the Web. The more information you keep online the more someone can learn about your identity.

Never store credit card information or sensitive information using the “remember this” feature that many Web browsers offer. Never shop online, unless you are familiar with the retailer. Avoid Phishing scams by simply not trusting any financial advice or warning sent in e-mail form. If your bank needs new security information from you, they will call you, not ask you to e-mail them or fill out an online form.

Examples of red flags that could mean a Phishing attack include a bank security update form asking for credit information, account information, Social Security information, and more. Your bank will have all of this information already. If you are unsure, and want to double check, walk into your local branch or call the bank directly.

Keep an open mind about security; remember that it only works if you constantly keep it in the forefront of your mind.

Around the Web

comments powered by Disqus