By Mark Sutton
Education alone won't work to protect the average user from the threats of today's online world
I've had a few conversations with security experts in recent months, and one thing seems to be troubling them all - cyber criminals have become exceptionally well organized, and are diversifying the nature of their attacks faster than the security industry can react.
There is an emerging class of highly professional, very low-key computer criminals, who are often controlled by traditional organized crime, operating on an international basis, who are a long way ahead of the script kiddies who perpetrated the computer hacks of a few years ago.
These criminals are not just writing nuisance code for kicks, and they are not just exploiting well known vulnerabilities in Windows XP - they are going out to steal confidential information, from system that holds sensitive information, in order to exploit that information for financial gain.
They have no desire to be famous, and even less desire to get caught. They work methodically, looking for volume rather than a single big crime, and are producing more malware and hacks than the security industry has ever seen before.
According to Symantec, 2007 saw over 700,000 new malware threats - two-thirds of all malware ever detected. The sheer amount and diversity of this malicious software is causing big problems. It's no longer possible to rely on detection strings and virus definitions being updated quickly enough to block every single attack.
It is also no longer safe to assume ‘security by obscurity' - that by using one of the less popular browsers or even switching to an Apple or Linux machine, that you won't be a target. The so-called ‘Italian Job' attack, which targeted mainly Italian websites in June last year, was set up to detect thirteen different vulnerabilities across a range of applications and platforms.
Attacks are also not just targeting the back alleys of the web, the adult sites, piracy sites, file sharing sites and so on, but are aiming for the big brands and the most popular websites. This is creating yet another fundamental change in the way online security has to be tackled.
Previously education and awareness told users not to visit sites they weren't sure of, but now big name, trusted virtual and brick-and-mortar establishments are the focus of attacks. Sites that end-users have every right to assume are secure, are the very ones that are slipping key loggers and other malware onto end user PCs.
While the security industry is working on new ways of detecting and preventing illicit activities, they are still also calling for more end user awareness. For what its worth, I don't think there's much more awareness that can be strained out of the average user, and when it comes to connecting the next billion users, then forget it.
Online safety and awareness is often compared to driving a car - ‘you wouldn't let someone drive a car without passing a driving test, why let them use a computer without training?' is a familiar cry, but I just don't think that comparison works.
For a start, there are a lot of people driving cars who clearly have no idea what they are doing, and if the IT industry is going to get that next billion users, they can't make the barriers to entry too high.
More importantly, security awareness and the rules of the road just don't compare. If you learn to drive a car, the general rules, principles and mechanics of operating the vehicle are broadly the same wherever and whatever you are driving. Don't go too fast. Stay on the road. Don't hit other vehicles.
Common sense tells you if your behaviour is risky or not. Security awareness is more akin to trying to drive the sort of clown's car that you see at the circus, blindfolded, down a road made out of jelly - there is just too much unpredictability, too little awareness, and too many changes to the road - of course the wheels are going to fall off.
So far the security industry has done a reasonable job of raising awareness, but I suspect a lot more people have been saved from mishaps by applications that automatically protected them from themselves, than from any sudden realization that clicking a particular link could be a bad thing.
With more and more diverse threats, trying to create awareness of every single threat among the sort of user who couldn't tell you what browser they are using is a hopeless task. The best we can hope for from the average user is for them to grasp some basic principles of online safety and for organizations to respect those rules.
A good example of which would be two incidents of banks that failed to inform me in writing of important changes to my accounts recently. In both cases I abandoned the online transactions I was attempting until I could find out directly from the banks what was going on.
Giving the banks the benefit of the doubt, it was probably more down to the slowness of post in the UAE than their own failing to stick to the rules of only communicating account information in writing, but it goes to show that you can train customers into a few good habits that can make the difference.
Incidentally, this is why Apple's attempts to stealthily install Safari on PCs is such a bad idea - everyone else is busy trying to educate people not to automatically install software unless they are certain of what it is, while Apple tries to slip Safari onto PCs as part of an update to other applications.
In the meantime, just like the automobile industry and traffic authorities have built in more and more checks to minimize the impact of bad driving, so it comes down to the IT industry to work out how to protect its users. Any organization that wants the benefits of cheaper, quicker routes to market or wants the ad-clicks or whatever part of their business model requires them to have a presence online, has to invest in better security and processes to protect their customers.
Software manufacturers have to think of how they can create applications that minimize possible vulnerabilities and give users automatic safety features and checks on risky behaviour. Expecting the ever expanding base of novice computer users to be able to look after themselves is asking for accidents.