In this paper I am going to discuss the security difference between a Real-Life and Cyberspace life. To start off things, I am going to tell you something you may not like, you CANNOT have a 100% secure system's. Security is not a product like a micro-ware, oven, it is an on going process. In Real-Life when you buy a new micro-wave, you read the manual before you stick your chicken in it. It is sad to say many computer users nowadays sit behind their computer screen without even bothering to read the manual. Read before you start clicking on everything that move.
Security is hard because it involve:
In Real-Life you can feel secure when you lock your home door or window. You may have an motion detector to feel more secure. You may have a guard with an M16 rifle. In cyberspace you think you are secure because most of the time you ignore the attack or you do not understand the danger. In cyberspace you think you are secure because you are running the latest BUZZ-WORD _firewall_.
In cyberspace attacks and attacker are the same, risk and targets are the same. Cyberspace world is populated with peoples like in Real-Life. Peoples interact with peoples, peoples make business relationships and decisions, peoples build relations and friendships, they live and die like the Real-Life. Cyberspace is filed with commerce like Real-Life. The threat in cyberspace mirror the threat in Real-Life.
The major difference in Real-Life and cyberspace is, in Real-Life you have to protect your home from any LOCAL thief's or someone who can drive by your house to steal your grandma chicken recipe, in cyberspace you have to protect your computer and data from EVERYONE in the cyberspace world. In cyberspace distances are irrelevant, someone sitting in china can access your private data located in Canada or any where else.
In Real-Life we have Credit card fraud, cyberspace is not free from credit card fraud either. We have everything you expect from the Real-Life, theft, vandalism, fraud, exploitation, voyeurism, con, extortion, sex, marriage, divorces, these days you can even get sperm over the internet.
Attacks in cyberspace look different from Real-Life but the motivation and the drive will be the same. Cyberspace world is a complex world and complexity is the worse enemy of security. More complex the software is the less secure you should feel about it. This mean today's computers and software's are less secure than they were earlier.
In real life someone will go over your trash to find used clothing or something they can eat or use. The same apply to cyberspace life, they will go over your trash (the process of going over your trash is called dumpster diving) to collect information about you and your bank accounts or your health, or anything that can be use to target you in their next attack.
Today market is driven by fancy options and _ship_we_secure_later_. The market today advertise security often as abstract. " This Firewall will stop all attacks:. " This security product will protect your kids from the world wide web. ". Most of these vendors look at the security of a product not a system or a process.
I think security cannot be solved by technology only. We need liability to address the careless of software/hardware vendors. In Real-Life if you buy the new BWM car and you take your family to visit Disney land you do not think about your break system Service pack or patch. You just break and the car must stop.
If the car did not stop and you had an accident you will sue BWM right ?. In cyberspace if you purchase a personal firewall and you got hacked because you have a firewall installed e.g. Blackice, you cannot sue the software maker. Why not ? we should be able to sue the product vendor. We do it all the time in Real-Life why not in cyberspace ?. More information about Blackice firewall vulnerabilities can be found by following these links:
In Real-Life if a car dealer sells you a car alarm with hidden flaws that make it easier for someone to break in, you can sue the alarm maker or the car dealer. In cyberspace if a software vendor sells you a peace of software with hidden flaws that make it easier for an attacker to steal your private data you CANNOT sue the software vendor, does this make sense to you ? it does not make sense to me or to anyone who care about security.
In my opinion a CEO must be liable for mishandling their clients data. A vendor must be liable for selling a buggy product. The is why in Real-Life we have insurance, fire alarms, car alarms, etc...
Today software users have no way to hold the vendor liable for selling them a buggy product, they just wait for the next _patch_ or service pack_ and they hope everything will get fixed like using a magic spell. Most peoples bite into the juicy stack offered by some nice bullshit marketing. For example when you hear an ads how easy you can surf the BIG BAD CYBERSPACE when you buy the UN-NAMED OS, you do not hear about you have to install zillion of patch, security fixes and some prayers before you surfing the cyberspace or start doing business.
Liability force software vendors to think multiples times before releasing their new product or changing anything in an existing working product.
Users and business look for financial honey pots, adequate if not effective security for a reasonable price. You do not buy an alarm for your car because you feel more secure do you ?. You buy an alarm for your car because you insurance rates go down. But you will buy a gun because you feel more secure not because your insurance rates go down. -:)
For most peoples it does not make sense to spend more money to secure a computer than it is original price right ?. So liability may solve some of the security problems that cannot be solve by just installing that shiny firewall or by installing an Anti-virus.
Decision makers in businesses like to deal with _fixed cost_ expenses. Security is a variable cost from a CEO's perspective, for this reason I think in the feature we are going to see a raise in insurance businesses in the cyberspace. Insurance company transfer the risk, liability and that is what every CEO is looking for because they can budget the risk.
I think in the feature it will be mandatory to have an security policies, processes for secure software development, processes of protection and intrusion detection, anti-virus, user education, etc, because insurance companies will be asking for them to insure your business or your home computers. Insurance companies will push for improvements cyberspace, just as they have done in automobile safety, banking security, fire safety, food and drugs safety and other.
For example if your network change 4 times a years you will be paying less for insurance if your network change only 2 times a year. Your insurance rates go down, as I said before that what every CEO will be looking for.
Right now it is Christmas time (I wish you a merry Christmas) and many peoples will be getting new computers as gift. What do you think the first step the new user will do ? surely they want to see INTERNET and they want to chat with their friends and share their pictures and music with others right. They are not going to think about install security patches and updates. Most of these users do not even know what the hell is security patches or updates. They think you are TOO paranoid or you are talking in Chinese.
In this digital world, users education must play a big part in security. We are not educating our kid to practice safe computing, we are not educating our home users about the danger and what you should know before you turn the power switch on their computers. We are not educating our businesses users to protect their information and the company information, data.
When someone get hired in a company they _may_ give him a paper that describe the company policy and what the user must and must not do. Some users may read the paper before they sign it some they will just sign it and hand it over to HR. department. Many time the policy does not cover information security or it is not well written or some processes are missing.
If we decide to make our cyberspace secure we need to start building processes and security framework. We need to make our cyberspace similar to Real-Life with processes, preventive measures, detection and reaction and forensic investigation.
In Real-Life we educate peoples before they buy that hot micro-wave, I do not see why we should not do the same in cyberspace life. We need to educate peoples before they jump and use that new computer with a PLUG-N-PLAY Webcam. As an example when you to a software store to get an anti-virus you will get some useless education from the bullshit vendor, "DO NOT FORGET TO UPDATE YOUR ANTI-VIRUS". While this is true most of the time it make no sense for someone who does not know what is a computer virus or what is the difference between a virus and a FLU virus. In our example the proper way of selling the poor user this HOT SHINNY anti-virus should be like this: Miss/Mr. Users this anti-virus is not going to protect your computer from ALL the attacks or from any FLU, but it is going to help you taking one step to protect your computer from SOME computer viruses. The vendor should explain to the users what is a virus in a brief and why he/she need to keep his/her anti-virus up-to-date.
If you ask most peoples if they care about the security of their computers, what do you think the answer will be ? Most of the time the answer will be " OH I HAVE NOTHING TO CARE ABOUT IN MY COMPUTER". This statement is not true even if you use your computer just to play games. A computer can be used a jump point, a computer can be part of many attacks even if you are using it JUST to play games. Users MUST change their thinking when it come to computer security. In Real-Life what you see is what you get often, well this does not apply to cyberspace. Many times what you see is not what you get. That is why we have so many SPAM, Virus, Trojans, Worms, etc...
Many users will click the dancing monkey on that www.play_with_my_moneky_Site.com to see the dancing monkey without thinking or knowing what goes behind that dance and the stupid monkey.
I was born in a war country, we had war for almost 20 years, when I was young they told me I should not pickup any bag or any thinking that can hold a bomb inside (even a watch), I was educated not to pickup or take any CANDY bar from any one who I do not know (Candy-Bar were used to poison peoples at that time in my country). The same warning or education should be used when you are surfing the cyberspace or running any program. Any web site can be a bomb any program that you run can be a hidden bomb or a poisoned candy bar.
If you keep your car un-locked or you leave the windows open, they will steal your valuables stuff from that car right ?. This is true in cyberspace too. When you buy a new computer it is like parking your car unlocked, you need to take the appropriate measure to close your computer windows and doors before you drive it into the cyberspace high-ways.
Users must wake up and smell the danger in cyberspace. Social engineer seeks un-educated naive users to release their charms on them. A good social engineer can get your business or private data without even using a computer. A social engineer rely on weaknesses in wetware rather than software or hardware.
I believe that continues users education is a _must_ for any secure environment. A well informed user can help protecting your assets, they will help in your risk management process. A well informed user is much better than a naive user who will click anything that move on his/her computer screen.
$SafeHack.com: rlvscyb.htm,v 1.0 2004/12/25 Adonis aKa NtWaK0 Exp $