Monday, February 11, 2008

client side attacks and technical solutions -- is it always a technical solution?

After talking to my buddy Joe about some client side attacks he came out with the "what is the technical remediation?" question.

It seems the last few years have been about the technical remediation for a non technical problem (exploiting users) delivered over a technical medium (internet/email). The remediation usually is to patch the flaw, in IE or yahoo or third party piece of crap X,Y or Z. At what point are we going to start addressing the reason for client side exploits and why they work so well...the client.

Let's face it, AV is pretty much worthless to anything custom and malicious, its going to be a long while before "Everyone" starts writing secure code, and even then chances are i can still get a user to load, click, run, do whatever i want with the right email sent to them. so is there a technical solution to it?

At some point you have to address underlying issues with problems (especially when they can be easily identified). The underlying issue is uneducated users clicking on things they should know better than to click on or downloading and running executables from god knows where.. User education is key and responsibility for actions is another and mostly just teaching is there is no "free lunch" in real life and there is certainly no free lunch on the internet. There is an awesome commercial on the TV about some dude trying to 419 scam on a bus and the people looking at them like WTF get the hell out of here, its a good commercial for internet safety and how ridiculous most phishing scams are when you take a second to really look at them.

Do i have a training program that will educate everyone? I wish, then i'd be getting paid alot more, but I will say that alot of place's user training programs that i have been exposed to are crap and lumped into all the other mandatory crap people have to do in a year. Think of it this way, you get 1 hour a year of IT Security training. now compare that to how much time the average user spends staring at the internet and email in a year. I'm not going to do the math but thats a very very small percentage of all the hours you work in a year, not even counting time spent on the internet at home.

So what's the point? The point is that the collective "we" need to stop allowing users to be click happy idiots on the browser or outlook inbox if we want to start actually working on fixing the client side piece. significant emotional events tend to make change in people, i'll leave the rest of that up to your imagination.

From ZDnet
Father of anti-virus says to invest in security awareness training

No comments: