What do we really know about safe computing? I was reading an ISC2 blog post “Practice Safe Computing” recently, and it preached several practices that we should all adopt to use our computers safely. It’s something that the author teaches to children. I’m an adult, I’m an IT person, and IT security is one of the things I do. So, I’m surprised I didn’t arrive at the correct answer to his first question.
“What is the first thing we should check when we turn on our computer?”
I don’t know, what are we supposed to check? That the computer looks to be working, so that I can go on to do whatever it is I want to do?
The correct answer: “Of course having a look at your anti-virus application is the place to start. Is it running? Are the databases current?”
Oh. To think that I’m a certified CISSP. *oops*
I think we’ve all come to take things very much for granted. Mac OS X is my primary work environment. I know, viruses can hit Macs too. But the reality is that most Mac users get by without any anti-virus protection and they do fine.
I don’t have anti-virus protection on my Mac. I use a lot of Unix as well, including both Linux and Solaris. I don’t have anti-virus protection in those environments either. I seem to be setting a very bad example. I can try to get away with the defense that “viruses are a Windows problem”, but the reality is that viruses can hit Mac, Linux, and Solaris environments well. Why are we not concerned?
That’s a very good question, and I don’t have a very good answer. I have lousy answers about how Unix environments are different, that they are inherently more secure, etc. But well, so what. There are viruses and trojans designed for Unix environments.
[While writing this, I reconsidered my need for anti-virus protection on my Mac. After reviewing several anti-virus applications available for Mac OS X, I ended up still not taking any action. More about this later.]
Just to do my bit to spread the educational message, the ISC2 post preaches several things that you should do:
- Check that your anti-virus application is running and that its database is up-to-date (less than 24 hours old).
- Check that you have installed all relevant patches and updates for your operating system and other applications.
- Check that you have a firewall between your computer and the Internet. For example, connect your computer through a broadband router before your broadband Internet connection.
- Some other advice about online shopping, details I’ll omit because they aren’t directly relevant to what I want to focus on.
Do you do any of the above 1 – 3? I’m embarrassed to say I don’t.
I assume my Mac OS X will take care of automatically installing all relevant updates. I do have a broadband router at home, and perhaps the corporate firewall at work counts when I’m in office. But I don’t suppose my smartphone counts as a firewall when I’m tethering its 3G connection. I presume the author did not consider the firewall built into the operating system as sufficient.
I am, perhaps, guilty of having taken security for granted.
But, really, am I supposed to do all that? If I own multiple computers, am I suppose to repeat that for each one of them? What about my other smart devices? Like smartphones and tablets and music players. We all assume magic happens on those devices, right?
I think the idea of having to check anti-virus status, operating system updates, and application software updates should be a thing of the past. Modern smart devices should just work for the user. If the smart device doesn’t work, it should be banished, and its reputation should be forever tainted. At least until it can proof to users that it is a dependable device.
Compare these with other sorts of household appliance or “systems” in your life. Your car, for example. You buy the car, and you expect the car should just work. If there is a fatal flaw discovered with your car, the manufacturer should recall it and get it repaired. You don’t keep checking in with the manufacturer or car dealership to see if there is something that you should be aware of.
Alright, maybe cars aren’t the best analogy. Afterall, you are supposed to bring in the car for regular servicing. But I might argue that this is akin to “tuning up” your computer once a while – such as by defragmenting your hard disk, clearing out unneeded data, etc.
Let’s try another analogy. The microwave oven. It should just work. The microwave oven does not need regular checkups or servicing. You don’t have to check in with the manufacturer about product defects. If there is some safety issue about the microwave oven, the manufacturer should tell you and fix it for you.
If the microwave oven manufacturer fails to live up to your expectation of having delivered at least a reasonably good, working, and safe product, you are likely not ever going to buy anything from them again. You’re also going to complain about them to all your friends and encourage them to boycott this manufacturer.
Computers, nowadays, aren’t those same computers we’ve been tinkering with over the last couple of decades. They have become blackbox appliances. In fact, things have gotten very blurry nowadays, since some traditional appliances have also become little computers. Tell me, are you actually going to check if your car’s Engine Control Unit (ECU), which is a sort of a computer, has had latest security updates installed? How about your set-top box? Your smart TV?
On the two dominant mobile platforms, Android and iOS, updates to both operating system and applications are automatic. It’s not like you really have to care about them. Of course you could do a “go check for updates now” procedure if the system is not picking up an important update fast enough. But conversely, if there is a security problem and the manufacturer does not want to fix it, you don’t really have a reasonably straight-forward option to fix it yourself.
So, I think the practice of “safe computing” nowadays has evolved. Checking and installing security updates is a routine and mundane task that should be automated by the computer. That’s what computers are good at doing. If your smart device cannot get this done correctly, then condemn it and move on to something else better.
Humans should focus on high-level things. Fuzzy things. Things that computers might not be so smart at doing. Like figuring out and identifying phishing attacks. Defending against social engineering attacks. Humans are smart. Maybe they still need some training and awareness education, but these are things they can handle.
I’m shocked to come across an incident at work this week involving a research staff having fallen prey to a dumb phishing email. It is so unbelievable that a research staff from a computing school could follow a phishing link, and supply his/her username and password to a very suspicious looking website. How could we expect an ordinary person to know better?
I hope that is just one single freak accident. I don’t have figures on the “success rate” or “hit rate” of phishing attacks, but obviously, any success or hit is bad enough. Some one or other will fall prey to such attacks. Anti-phishing software, like anti-spam software, aren’t perfect. This is where we need humans to use their common sense.
Earlier, I said I didn’t have any anti-virus software. I haven’t had one for some time. It sounds so “wrong” for an IT security person to say that. But I think the danger nowadays is a lot more than just about viruses and trojans. In fact, viruses and trojans probably aren’t a very significant part in the big picture anymore.
Consider that some of our smart devices are primarily web browsing platforms. Google’s Chrome OS, for example, is basically an operating system with a web browser. All your applications are web applications. In these sort of environment, your main threats are likely to be in the applications delivered through the web. It is probably easier to secure that single web browser system, than the traditional computer which runs too many native applications, against attacks of a “technical nature”.
The bigger danger is probably going to come from new attack vectors. Like applications within some other application ecosystem, such as Facebook applications. We need to watch out for new things.
The older attacks primarily wanted access to some computer or device that you have. New attacks, on the other hand, want access to some sort of identity or online account that you have. For example, your email account Facebook account, bank account, or credit card information. So it is not just access to physical devices that you should worry about, but also access to your identity, your account, and even just information about yourself.
Luckily I don’t have to teach kids about safe computing. I don’t know how to explain these things to children.