Current State of Computer Security Awareness

Members: Terry Brugger <zow at acm dot org>

This paper is a preliminary investigation into what the state of computer security awareness among the general public is. It begins with an overview of why everyone should be concerned about computer security. Then it presents the results of an informal survey taken to determine what level of awareness various computer users of all levels had. It closes with proposals of what can be done to improve computer security awareness.

Background & Introduction

"I can't describe the look of combined fear, nausea, and bewildered horror that came over the face of a friend of mine when I explained that although he and his paramour had dutifully deleted their libidinous email exchanges, copies (oh, that word) of them still existed on the mail servers (and elsewhere) and could, theoretically, be re-sent if requested.  Requested, say, by his wife."

-Survey respondent

The subject of this paper deserves some background. I was rather excited to discover that we had an open ended project/paper for ECS-253. My mind mulled over all the possibilities: I could add mandatory access control to OpenBSD, or create a secure by default Linux distribution leveraging the new POSIX 1.e-like kernel capabilities. Or maybe this was the opportunity I was looking for to do a survey of available security tools or get some experience with trusted operating systems. Perhaps I could built a user friendly distribution for Snort or some other open source security tool. Then apathy struck.

Apathy is an interesting emotion. While it is the antithesis of excitement, it is contagious in exactly the same way. Despite the wealth of ideas I had, I couldn't escape the reality that even if I built a better mousetrap (or cracker-trap as the case may be) nobody, save for myself and maybe a few other security die-hards around the world, would use it. I would not be making a contribution to the Internet community at large; my work would have zero impact on the millions of home users who are surfing the net with no security protections to speak of. While many who implement computer security policy and mechanisms are quick to dismiss these people, usually by making an analogy such as, "People who don't lock their doors deserve what they get," I couldn't dismiss the problem so easily. Maybe I'm too much of a humanitarian. Maybe it's the fact that those people include my friends and family. Or maybe it's just the fact that electronic intrusions have the potential to be much more devastating and wide-reaching than physical intrusions, but I was left with the inescapable thought that there is a much more pressing need to address this problem than there is the need for yet another Linux distribution.

Now the only question is, "How?" It would be premature to begin prescribing solutions before the problem is well understood. In particular, are people aware of the wide ranging problems with computer security, or do they just not care? This paper begins by addressing why people should be concerned about computer security. Then we examine how aware the population is about the problems with computer security and how concerned they are about it, including the results of an informal survey. We conclude with possible solutions to improve awareness and concern for computer security.

What this paper does not address: the need for computer security in a specific system, for example the risks associated with the air traffic control system not having strong enough computer security. This paper concentrates on the risks with the general population using computers and will only touch on specific applications as they interface with the general populace. For example, the paper does not address the level of awareness that banks have for their financial computer systems, however it will look at how aware people are of the risks involved in accessing their bank account information over the Internet.

The Problem

"For the most part my experience with security is that people know that there is risk involved but they don't really know why or where the risk is."

-Survey respondent

Before we can adequately address how concerned people are about computer security, it is instructive to explore just why they should be concerned. If there is no need for people to be concerned about computer security, then polling them to ascertain their level of concern may be of interest to sociologists, but it provides little value to computer scientists. That's not to say that it would be totally irrelevant as it would present a significant impediment to further work in the field (akin to how public concern over nuclear safety significantly reduced the amount of work that was done in that field). This section should serve to establish that there is a problem with computer security that both computer scientists and the general public can aid in solving.

We begin with looking at the problem from a wide perspective: the aspects of the problem that should concern all computer users. Then we briefly focus on issues of concern to businesses, governments (and non-profit agencies) and finally issues that impact home users. There is no specific subsection for educational users, as the risks in that environment are generally analogous to those in the commercial or government / non-profit sectors depending on the application. We conclude the section by examining how, currently, much of the burden for securing all these various types of systems lies with the user.

It is interesting to note that in the course of this research, I discovered that there is little, if any, evidence to support many of the risks of insecure computing that are commonly cited. I will point these out as we cover them.

General

This section examines risks involving computer security that impact all computer users. in particular, we tend to be concerned with the connection of general purpose machines (such as personal computers and workstations) to globally accessible networks, such as the Internet. This is primarily because such connections pose a significant risk to all users. The discussion will not however be unnecessarily limited to this area.

Presenting the risks involved in general computer and network usage is by no means a novel concept. There are seemingly countless resources on the Internet that provide this information. For example, RFC2196, the Site Security Handbook, is the canonical resources on this topic. Additionally, the University of Minnesota provides this primer, which is targeted primarily at the academic user. Finally, Academic Press has this document which is somewhat more business focused. As previously noted, this is by no means an exhaustive list. The Open Directory Project provides a much more comprehensive list.

One of the greatest risks to computer use on the Internet today is the failure to act as a good network citizen. Specifically, computer criminals use compromised machines to launch attacks against other machines. Doing so makes it harder to track down the criminal because, by the time officials (be they law enforcement, network administrators or emergency response teams) can get to the machine that the attack was launched from, the attacker is probably long gone along with any evidence as to where they came from. This problem has existed for as least as long as any statistics on computer incidents have been kept, as it was encountered by CERT in one of the first and longest running cases they've handled. That particular case involved a group of four hackers who compromised 383 machines, most of which which were subsequently used to attack other machines. This problem has been further demonstrated in recent times by the use of large numbers of compromised machines for DDoS attacks, as chronicled by Steve Gibson or as noted in this InfoWorld article. Considering this, failing to secure a computer that's connected to the Internet is roughly akin to witnessing a traffic accident and not stopping to see if everyone is all right and give a statement. Even though such an action may be perfectly legal (although some states have "Good Samaritan" laws which make such negligence illegal), it's generally poor citizenship. It would useful to have more concrete figures in this area. In particular, what percentage of machines that are used to attack other machines does the attacker have legitimate access to (at least for those machines for which this can be determined which is probably actually a minority of those machines from which attacks originate)?

This risk becomes even more problematic when we consider how heavily networked the critical infrastructure, that all industrialized nations depend on, is. We depend on this infrastructure for power, telecommunications, transportation systems, and more, as described on the NIPC website. The treasury department has an advisory bulletin which covers this system in more detail (particularly from the viewpoint of a financial institution). Now we're talking about any machine connected to the Internet being used to attack systems that people's lives depend on. To extend the above metaphor, this is roughly akin to failing to report a group of people all dressed in black cutting through the fence to get into a power substation. While they may just be trying to turn their power back on*, it is more likely that they are up to no good.

*This was written in the midst of the 2001 rolling blackouts in California.

While speculation about attacks on the critical infrastructure may be scary, it's mostly speculation†. A much more real threat from the highly networked nature of today's systems is the possibility for trust relationships to be exploited. Just because a given machine may not have anything of interest to an attacker on it, if that system is used to connect to any other system that does have anything of value, the attacker can exploit that connection to access the machine with value. For example, many people use their home PC's to log in to their machines at work. While their home machine may not have anything of value on it, it is more likely that the work machine will. If the attacker has installed monitoring software (for example something to capture keystrokes on the first machine), they can use the information captured by that monitor (such as the username and password) to access the second machine. This is apparently how Microsoft's network was compromised in 2000. This InfoWorld article gives an overview of this problem, as does the afore mentioned CERT case and others. It would be useful to have some concrete figures on how widespread this problem is as well. Specifically, of the compromised machines that are used to attack other machines (as noted above), what percent of those do so though a trust relationship?

†Just as this paper was being completed, a news story broke that the California ISO (who control the power grid in California) were compromised. The implications of this on the critical infrastructure have not yet been revealed.

Another significant risk with computer use are the costs from downtime either when being attacked or when recovering from an attack. The most striking example of this is shown in the figures from the Yankee Group in cooperation with the FBI and the RCMP which estimate the downtime costs from the February 2000 DDoS attacks on eBay, CNN and Amazon.com to be about $1.2 Billion (this author assumes that's in US funds). In casual conversation, some have noted that those figures are based primarily on lost sales and may be vastly inflated. Other's noted that the daily losses posed by Amazon.com in relation to the DDoS attacks were lower than the daily losses posted when Amazon was in full operation during the same time period. Regardless, the figures clearly present that the downtime costs associated with being attacked can be significant. Users must keep in mind that these costs are not necessarily monetary. Even home users suffer when being attacked although those costs may be harder to quantify, for example the cost associated with not being able to use the Internet, the time spent in reloading the operating system after it's been hacked by an attacker (time that could probably be spent performing more enjoyable activities), or costs associated with having schoolwork (like a paper) deleted by an attacker (keep in mind the attacker is not necessarily a faceless entity thousands of miles away, it might be a spiteful sibling or a malicious roommate).

Viruses and worms are becoming a greater burden to the Internet infrastructure. Taking advantage of well-known system insecurities and user ignorance, viruses are causing more damage in a shorter period of time [Spaf]. Furthermore, the problem is extremely widespread: 94% of sites in the CSI survey have detected viruses on their systems. [Spaf] notes that the number of viruses is increasing exponentially. This phenomenon impacts all network users as the viruses consume valuable resources such as space in mail queues or network bandwidth.

An often cited reason given for all users to secure their machines is the risk of an attacker using the compromised machine for illicit purposes (such as being used as a server for pirated software or child pornography). The reason this is cited as a serious risk is, not only does it show poor network citizenship, but it may pose a liability problem for the person who's machine was compromised. For example law enforcement may seize the machine as evidence, or the machine operator may be sued by a parent who is angry that their child was able to find such material on that machine. Despite this rather convincing argument, there is little evidence that this has ever actually happened. Certainly, system attackers use the machines they compromise as servers: one survey respondent upon a direct inquiry offered that a server at their former employer was once compromised and used to serve up hacking tools. Other than the downtime and cleanup that resulted from this incident, there were no additional cost such as lawsuits or equipment seizure. The string of incidents that most people are probably thinking of when citing this particular risk are the equipment seizures that took place during operation Sun Devil in the early 1990's. It should be noted though that in all of those cases all of the machines that were used to serve illicit content were not compromised, but were actually publicly available servers (bulletin board systems) that were designed to openly share data between members of the public. The only question of liability or culpability in those cases was whether or not the system operator was aware that their system was being used to serve illicit material and, if they did, whether or not they did anything to stop it. Likewise, while the use of a compromised machine to serve pirated software was mentioned in the Severe Incidents category of Dr. Howard's dissertation, it was more in passing than the focus of any details. In general, this risk is even cited by CERT/CC to be a problem, although they fail to provide any data to support how large a risk this poses. In particular, what percentage of compromised machines are used by the attacker to serve data to others, and of those what percent are used for:

  1. Hacking tools
  2. pirated software
  3. Child pornography
  4. Other pornography (other than perhaps a couple explicit images on a defaced webpage)
  5. Other illicit or illegal material

What is missing most from the analysis of this risk is any sort of legal evidence that it is a risk, such as a law review article that examines this risk in the context of the current criminal and civil code.

A risk that's easy to imagine is the ability of an attacker to assume the identity of a user. This may be done by compromising the user's account or just through outright forgery, such as spoofing email. This may allow the attacker to influence others in a way that's beneficial to the attacker, or just cause damage. For example, an attacker may assume the identity of a company president and send out an email to all employees to "inform" them that the company went bankrupt and they're all fired. Alternatively, private keys in a compromised account may be used to forge digital signatures which are starting to become legally binding. This risk is detailed by Bruce Schneider. An example of its application would be to cast someone else's vote in an on-line voting system, as noted by Bishop in the RISKS Digest. While email spoofing certainly occurs, there are no statistics on how widespread it is (I am not even considering spam here). Furthermore, I could not find any evidence that an attacker ever used a compromised account to masquerade as the victim, so how widespread is that problem?

A risk that hasn't been examined in any detail, but seems obvious when mentioned is any risk involved when people from different cultures are put together in a common environment, such as the Internet. What an American might think of as an invasion of personal privacy may be totally acceptable in another culture. A prime example of this clash of cultures are the defacements that took place in late April, early May 2001, such as this site that was defaced by Chinese crackers or this site that was defaced by American crackers. Both groups performed their acts under some misguided guise of patriotism in the aftermath of a midair collision between a U.S. and a Chinese military aircraft. Considering that both groups compromised the security on machines in order to deface the given sites, the risks involving computer security should be readily apparent.

A risk that is cyclical in nature is that users aren't aware of the risks and protect themselves appropriately. As noted previously, this risk is what prompted this paper. Considering the continuing expansion of the Internet, both in terms of hosts and users it is doubtful that all those users can possibly be made aware of security issues. I hope that this paper should spark some more research in this area (there was no preexisting research that I could find).

Besides just looking at what the risks are, it's important to note how high the risk is. 85% of sites in the CSI survey have had computer incidents in the past year. [Spaf] notes that of the remaining 15%, 12% have no way to detect if an incident has occurred (and it was speculated that the other 3% were lying). The CSI figures note that 27% of sites have no way to detect if misuse or unauthorized access to a computer system occurred. Undoubtedly the reason these numbers are so high is that system attackers can now be very unsophisticated. [Spaf] notes that anyone who can operate a web browser can use the current breed of attack tools and still be very successful.

Corporate

Companies and corporations are primarily interested in profit. As such, they typically look at return on investment (ROI) when evaluating computer security measures. Unfortunately, they have a tendency to underestimate the costs that poor security may incur. To this end, SANS has an excellent primer on what the real costs of a security compromise are for a business. To provide some hard figures as to what costs could be incurred, [Spaf] notes that losses for Internet-connected companies average $1 million per year. The CSI figures put this closer to $2 million. In fact, 64% of CSI survey respondents reported financial losses stemming from computer crime. The total losses for all sites that were able to quantify their losses amounted to $377,828,700.

Some of these computer crimes are of particular interest to businesses as they stab at the core of how most businesses operate. For example 21 respondents in the CSI survey reported losses from financial fraud to the tune of $92,935,500 in losses. A much more severe threat comes from the compromise of proprietary business information, such as trade secrets. 34 respondents in the CSI survey suffered a total of $151,230,100 in losses due to compromised company information. While the image of hackers and industrial spies can be powerful, insiders may present a larger threat. As SANS notes, fewer attacks may come from insiders, but insiders can do more damage and do so at a lower risk of detection. A good statistic that the CSI should include in their report is what percentage of attacks could be attributed to insiders? (They detailed how many attacks came from an Internet connection, but even an insider might attack over the Internet connection and not all outside attackers will come in via the Internet.) Furthermore, what percentage of the damage do they cause?

A loss that's much harder to quantify is the loss of customer trust stemming from computer incidents, as noted in the above mentioned SANS primer. Customers may likely take the view that if you can't be trusted to protect your data (especially their personal information), then what can you be trusted with?

Government / non-profits

Governments and non-profit organizations are less concerned with risks that result in monetary losses than they are in the trust of their constituents (citizens for a government and supporters for a non-profit organization) and the protection of state secrets. We'll look briefly at both of these.

Governments in particular are in the onerous position of needing to heed the wishes of its citizens because citizens, generally speaking, won't simply decide to become citizens of a different country. Instead, they will take measures to change the existing government to one that better suits its wishes. This is done though any number of means ranging from electing different public officials, to protests, to outright revolution. While poor computer security has not resulted in outright revolution (although it has probably been used against governments during revolutions), it has certainly resulted in strong enough public criticism to cause changes such as causing the FAA to improve the security of their systems. The only time cost effectiveness (balancing the cost of security measures against the cost of not having them) will be a concern to governments and non-profits is when the constituents complain about wasted money.

One area where governments recognize the high cost of data compromise is on systems that deal with state secrets such as intelligence information, military unit movements, defensive capabilities, etc. For example the FBI is reviewing their security in the wake of charges being filed against one of their former special agents who worked in counterintelligence.

Personal / home users

People that do personal computing, particularly at home, face some risks that are similar to those previously mentioned and others that are targeted specifically towards individuals and not organizations. These risks include the disclosure of personal financial information, privacy concerns (especially with respect to harassment and cyber-stalking), and identity theft.

Many people use their computers to keep track of their personal finances, such as to balance their checkbook, do online banking or track their investment portfolios. There are significant risks in the disclosure of this information, ranging from an attacker emptying a user's bank account, to harassment from telemarketers (particularly those selling financial services) to ex-spouses suing for more alimony. While I was unable to find any conclusive evidence that compromised home machines have been used to collect financial information such as bank and credit card account numbers, current balances and security codes, the risk is readily apparent and it is likely only a matter of time before it's done on a wide enough scale to have disastrous consequences. There has, however, been a lawsuit filed against Intuit (who produces products and services for individuals to track finances) claiming that they disclosed personal financial information about the users of their website. I was unable to find any followup on this lawsuit, indicating that it was likely settled quietly out of court.

In, at least, American culture, a high value is placed on personal privacy. The disclosure of information that a person considers private could place them in a compromising position (see the first quote given in this paper, which was my favourite quote from any of the survey respondents). A particularly dark side to the disclosure of private information is that it may be used by an attacker to harass or stalk a victim, both online and in the real world. Angelfire has an excellent set of pages about cyber-stalking and harassment. Another risk from disclosure is that it may be used by an attacker to blackmail the victim. An anecdotal example of this is provided in the survey responses below.

The final risk we consider may be the most dangerous: identity theft. Frequently cited as the fastest growing form of financial crime, victims are left devastated both financially and emotionally. This civic.com article details exactly what identity theft is, presents some of its victims, and what is being done about it. While its perpetrators often attack weaknesses in government and corporate systems to gain the knowledge they need to perpetrate the theft, the crime is more closely related to the disclosure of personal financial information and private information, so I have included it here.

Burden placed on users

While we've established the risks involved with computing at various levels, we still need to establish why user awareness of these issues is important. After all, if the system designers and builders just built a secure system, these risks should be sufficiently mitigated for users, right? For the most part, perhaps, but system designers and builders today place an overwhelming burden for computer security on the user. Examples of this include password mechanisms, the difficulty in monitoring systems for attacks and insecure by default configurations. We'll look briefly at each of these and others.

Until S/KEY fobs can be found in boxes of Captain Crunch or Dell starts shipping systems with thumbprint scanners right on the keyboard, the primary means for authenticating to a computer system will remain the username/password combination. Unfortunately, weak passwords have been cited as one of the biggest holes in network security. Instead, users are encouraged or forced to use strong passwords. As users can remember only a few (at best) strong passwords, they will take measures to circumvent the password system, for example using a proper name followed by a number that could be guessed by anyone who knows the user. Alternatively, they may write the password down and stick it to their monitor or keep it in their wallet. While the practice of sticking passwords to monitors may not be a very secure practice (unless the user works in a physically secure facility like a vault which is sealed anytime they leave it), keeping the written password in a secure place such as a wallet or a safe would deter any but the most determined attacker.

Usually computer systems ship with numerous security flaws. As these flaws are discovered the vendor issues patches for them. This places the burden on the user to keep track of new patches and install them. This author would like to make a shameless plug for SafePatch (which he worked on) which reduces this burden, particularly for large networks. One thing it can't solve however is the problem of some vendor patches not being properly regression tested and introducing new problems in the systems they're installed on.

While the problems discussed so far are burdensome, it's still possible for most users to manage them given enough effort. A bigger problem is defending against and detecting intruders. Not only do users need to install Firewalls and IDS, they must maintain and monitor them. Doing so is both time consuming and difficult for anyone to understand without at least a working knowledge of network protocols. As if that wasn't bad enough, as noted by Daniel Albano in this Information Technology article, there's really no way for users to determine whether their system has been compromised or if the activity they're seeing is just due to a failed component. Without strong network auditing, there's no way for even an experienced computer user to tell the difference between a Ping of Death and yet another random Windows failure. Finally, even if someone recognizes that they are the subject of a computer attack (perhaps by rather overt means, like having their webpage defaced), most people (especially home users) have no idea how to respond to the incident. SANS provides a guide on the matter that is "44 pages long [and] describes 90 actions in thirty-one steps in six phases." They even provide a short list of 10 steps to follow when responding to an attack. While something of this depth is certainly useful to the professional system administrator (which is SANS's target audience), even the short 10 step list demonstrates how ill-equipped most any collateral system administrator or home user is going to be when responding to attacks.

Most computer systems, such as Linux or Solaris are insecure by default. They come with numerous network services enabled, privileged programs that the user doesn't need and weak security settings. There are only a small number of operating systems such as OpenBSD which make an effort to be secure by default. Granted, by doing so they place a burden on the user to turn on and configure what they need, but by doing so the user is forced to know how their system is configured, unlike the insecure by default systems which leave even security conscience users wondering what will break if they turn off some service they're not familiar with.

A similar problem is that only insecure protocols (like plaintext SNM, telnet & FTP) are supported by default on most systems. Users must exert extra effort, and frequently extra money, for secure alternatives such as PGP and SSH. As noted by the OpenBSD team, this is most likely due to the export restrictions on cryptography software in the United States (where most systems are produced). Furthermore, due to network effects, there is an internalized value placed on the existing protocols, and hence resistance to adopt new ones.

Another reason that users resist securing their systems and implementing more secure protocols is that these security mechanisms are difficult to understand & use [Whitten]. Two examples from the author's recent experience are PGP and SSH2. With PGP the author apparently configured & used it correctly to send digitally signed messages (PGP reported no errors and the author was able to authenticate his and other people's messages correctly). Despite this, numerous email recipients (including Network Solutions) report that they can not authenticate messages that I send (even after verifying they have my correct public key). Similarly, in a recent conversion from SSH1 to SSH2, DHA authentication failed to operate correctly. That problem was resolved only after the author and two excellent system administrators spent over two hours to locate the one option that allowed the DHA authentication to work. If the author and other extremely knowledgeable users have problems using these secure mechanisms, the burden to use these mechanisms must seem impossible to the average computer user.

Finally, even if someone is interested in securing their computer system, it's difficult for users to separate the hype generated by companies and the media from the reality of a given situation. This makes doing a realistic risk assessment or selection of a tool to protect against a given risk difficult. This ZDNet article is an excellent example of this phenomenon. Another is this article at the Register which explains the debate between Steve Gibson and NetworkICE, which should surely be enough to confuse consumers. Other than this anecdotal evidence, I could not find a good general reference to this problem. This would most likely be a good topic for further research.

The state

"Most companies I've worked for consider security a secondary consideration to the implementation of new software systems. With the exception of large corporations who have a separate security group responsible for producing and enforcing security guidelines at a corporate level, most companies implement little to no security measures."

-Survey respondent

Methods

The survey was conducted in an informal manner. Specifically, the author sent an email message to all of his friends and family for whom he had email addresses. The email requested questions in an open ended manner, specifically:

These statements and stories can deal with any aspect of computer security, ranging from disclosure of your privacy information (like credit card numbers, SSN, bank accounts), hackers (or crackers/script kiddies if you prefer) taking over your machine or other machines on the Internet, denial of service attacks (like the ones that hit eBay and Yahoo last year), or anything else you can think of. Generally speaking, I'm looking for anecdotal information on 1) what people know about computer and information technology misuse, 2) what they know they can do prevent it and 3) what they actually do.

The message did contain examples which may have skewed the results such as, "I've never bothered to install the 128-bit version of IE because I'm lazy," or "I can't get my friends to use PGP." We see that a fair number of respondents commented on both of these technologies.

The survey group contained people of all levels of computer experience from virtually none (uses WebTV to access the Internet) to others with significant education pertaining to the Computer Sciences (including a math Ph.D. and CS students who graduated with honors) who now work in the field with significant exposure to computer security issues. It is relevant to note that many of the author's friends with whom he has kept in contact via email with have pursued scientific or engineering careers (as opposed to those who didn't pursue technical careers and tend not to have email or do not check it), so those members of the survey group have probably had more exposure to computer security issues than most members of the general public have had.

Some in person followup was conducted with three members of the survey group. I have indicated where the information expressed by the respondent was in response to a direct query.

In the event that multiple members of the same household expressed information that was applicable to the entire household (for example, the presence of a firewall on their PC), I only recorded a single response.

As the survey was free form, the results are as well. The categorization and order given are based solely on what seemed logical to the author. As such, the presentation of the results may reflect the author's bias. The author has, however, refrained from explicitly inserting his own viewpoint into the results.

Results

The survey request was sent to 57 people. Of those 18 responded, representing a 32% response rate. This number is probably significantly higher than the expected response rate due to the personal relationship between the author and the survey respondents.

As the survey was open ended, there was no preset structure to categorize the data collected. Instead, I have collected all the relevant points in the responses and attempted to group similar responses together logically. In doing so, I saw four general themes between the data items: those that had were generally overviewal in nature, those that dealt with perceived risks, the means by which people attempt to protect themselves and anecdotes about computer security incidents. While most of the data points fell clearly into one area, there were still a significant number that eluded a single classification. I have placed these items in the category that seems to suit them best and referenced them from other relevant categories. We will now look at each of the four categories in turn.

Overview

Respondents provided a great deal of information about computer security that was broad in nature. The call for information requested that respondents state their perceived level of computer security knowledge. Additionally, many people were quick to offer their opinions on what the origins of the computer security problem were. There were also many statements made that were general in nature. Finally, there were numerous anecdotes about computers in the workplace, for lack of better categorization, those are discussed here as well.

Claimed computer security knowledge

The call for help sent out by this author requested that respondents state their general level of computer security knowledge on a scale of, "virtually nonexistent to at least as good as mine." Generally, people were quick to state if they had virtually no computer security knowledge. As the level of security knowledge increased (as demonstrated by the quality of their responses), fewer people made any claim as to their level of knowledge, or they were modest in their responses. I have attempted to map out the 5 claimed responses on a scale of 1 to 10 as follows:

Considering that there were respondents who had active knowledge of SSL hardware devices who rated their level of security knowledge as "virtually non-existent" (which I mapped to a 2), there was apparently a discrepancies between their claimed knowledge and their actual knowledge. I assigned a rating to each respondent as follows:

When I first decided to chart this information, I expected to get something a bit closer to a bell curve. The results are obviously subjective though. In particular, I included knowledge about what the risks were in my assignment of scores. If users did not consider knowledge of risks as part of computer security, this may serve to explain the discrepancy between the user's claimed knowledge and what they demonstrated. The spike at the end of the estimated knowledge chart is also worth noting: four of the respondents demonstrated a level of security knowledge that could be expected from a computer security professional (indeed, one of those works for a consulting firm where their tasks include computer security considerations). Another reason why respondents may have been modest in their self-assessments or failed to claim any particular level of knowledge may also be because as they understand more about computer security they get a better idea of just how much they don't know. Finally, it should be noted that as the author personally knows all of the survey respondents (which obviously may skew any subjective assessment), generally the respondents demonstrated a higher level of computer security knowledge than the author would have previously given them credit for.

See also the section on Encryption for an interesting discrepancy between knowledge and encryption use.

Origins of problem

Many respondents were quick to provide their opinions on what the underlying cause for security problems were ranging from blasting attacks on computer professionals in general to the usual suspects like difficult to administer systems. I refer to these as opinions or beliefs only because none of the respondents provided evidence to support their viewpoints (the first section of this paper does provide evidence to support at least some of the viewpoints). What was interesting about these responses in general is that each respondent tended to latch onto one particular cause, as if it were the root of the problem or at least the primary cause. We will present all of these responses along with some views from Gene Spafford.

The most popular reason cited by respondents (two of them) as to the reason for computer security problems was closed source software. Both expressed the belief that by making the source open for public review, systems would become more secure. I had the opportunity to ask another respondent (an average user without any code development experience) what they thought about that view and they expressed the belief that if more people have access to the source code, "only the wrong people will screw with it."

The widest sweeping statement about the origin of the computer security problem came from one respondent who expressed the belief that the root of computer security problems (and most computer problems in general) was that most computer users work from a faulty knowledge base. What little people know about computers isn't based in fact but rather in folklore and hearsay. The few people that actually understand anything about computers only understand thin slivers of the systems and virtually nothing about the rest. The respondent implied that the consequences of this on computer security should be apparent.

Another respondent expressed a similar view in that the issue is much deeper than just awareness about computer security considering that many (or even most) computer users are clueless about the use of computers period. This was supported by an anecdote about a friend who worked in a technical support type position and got a call one day from an older gentleman who needed to know where the "any" key was.

One respondent believes that a great deal of the problem comes from poor patching practices: both the generation of timely patches from vendors and failure of users to apply them (noted with particular regard to Unix). Curious about this, I directly questioned another survey respondent (an average computer user with no formal computer education) if they installed security patches. Their response was, "What's a security patch?"

To wrap up the responses from the survey, one user expressed the belief that there is a need to make system administration easier, especially those tasks that are necessary to secure the system.

At the same time as I was collecting survey responses I saw a presentation from Gene Spafford [Spaf] where he noted a couple causes for poor computer security in today's systems. While I am hesitant to mix these in with the survey responses, they fit in perfectly with this section and they're interesting to contrast with the reasons provided by the survey respondents in that the points made by Spafford and the respondents were completely disjoint. The two reasons he cited were that "Users want features, not security," and that users want control over their desktops. Environments which centralize the administration of machines or otherwise require the user to relinquish their administrative control over the system are not popular with users. Instead, users want to be able to have free reign on their system, for example to run new games downloaded from the Internet. This is especially true of knowledge workers whose expertise is at a premium because management won't put their foot down out of fear of loosing these employees.

General Awareness

Many of the comments were general statements made about computer security, ranging from its non-existence, to the roll of trust, to the importance of a balanced security plan in consideration of all the risks. All of those responses are presented here.

One respondent was extremely pessimistic: they expressed the belief that there was no such thing as computer security and expressed that most systems could be compromised by a grade school student.

Another respondent placed a strong emphasis on an analogy between computing and sex (and the need to participate in safe practices for both). While true, the manner of the response was not serious by any measure. It seemed to demonstrate that while someone may be very aware of computer security issues, they weren't very concerned about them.

Another respondent addressed this point directly. While they claimed to "care about security a great deal," they also noted that there was a need to balance the level of security with the amount of effort required to achieve that security because there were more important things in life, like spending time with their family. Interestingly, this same respondent noted that they reported all abuse directed at their systems in the belief that all computer criminals will get caught. I asked another respondent what they thought the chances of a computer criminal getting caught was and they expressed that the chance was in direct proportion to the frequency & seriousness of the crime. This second respondent also noted a need for more law enforcement trained in dealing with computer crime.

One respondent suggested that the weakest link in computer security came from the human element. They implied that the most successful attacks were from social engineering. On a similar note, another respondent expressed that trust was an important element in computer security. They didn't seem to be talking about trust between two parties though, they suggested that you should never trust the computer itself, probably in reference to the problem of many people placing implicit trust in anything generated by a computer.

Finally, one respondent expressed the need for a balanced computer security plan. They supported this with an anecdote about a former workplace where the President of the company demanded that the server be secured against electronic attackers at all costs to prevent the compromise of their critical business information. Upon investigation the respondent found that the server was located right next to a set of French doors with a flimsy burglar alarm. They continued:

I later discovered that the petty cash in the building was better protected physically than main server. And yet what was the Prez up in arms about? Viruses, hackers and spies. I admit that they are more glamorous but the simple fact was that the company's computer system was more at risk from burglary than electronic invasion.
Computers in the workplace

There were numerous anecdotes provided about computers in the workplace. Most of those are included in the sections on Privacy, Host based protections and Incidents, below. There was one anecdote that demonstrates a much more general viewpoint about computer security in the workplace that we look at here.

Two respondents expressed the belief that most problems with computer security on the corporate level stemmed from either a cost versus resource issue or the failure of management to understand the risks. One of the respondents provided this anecdote that demonstrates the problem: at one NASA site, a system administrator installed a hardware-based SSL encryption module on one of the servers because one of the programs using that server required & paid for it. Another program that also used the server called for a work stoppage until a review of the requirements of the system was completed because the original system requirements didn't call for any type of encryption or other data protection. The respondent expressed that they thought since they got the SSL encryption for free (because the other program paid for it) and it corrected an oversight in the existing system (which they thought was in need of much better data protection), it could only be a win-win situation. However, the lack of data protection in the requirements combined with the work stoppage demonstrated that management didn't understand the risks involved.

Perceived risks

While the survey never asked people explicitly what they thought the risks in computing were, it did ask for information on what people knew about the misuse of computer and information technology. The fact that many responded with concerns about specific risks demonstrates that the surveyed body generally has a appreciable level of awareness about computer security in general. These could, for the most part, be classified into financial risks, privacy concerns and concern over viruses. We'll look at each of these and at concern over two specific issues in turn.

Financial risk

For whatever reason, people seem to have a firm grasp on risk whenever their money is involved. What exactly they understand about that risk and how they react to it can vary widely. Generally, most of the respondents expressed views on credit card use over the Internet and thoughts about personal financial software.

There were a variety of view points on the use of credit cards over the Internet. One respondent expressed that they never use credit cards over the Internet. They believed that if they couldn't pay for it pay check or buy it in person, then they don't want it. Three respondents were more comfortable in using credit cards to make purchases over the net. One of those noted that there's always a risk when paying for something by credit card, and the risk of using the credit card online is no greater than it is using the credit card in person. Another respondent expressed the belief that, as long as SSL was employed, there's no risk in sending credit card numbers over the network, instead the risk lies in how those credit card numbers are stored on the server at the merchant's end.

Two users expressed awareness (although not necessarily concern) of the risks of doing personal finances (including on-line banking and using personal financial software) on the computer. One of them noted that they had not configured Quicken to automatically download account information from their online banking service. This was partially out of concerns that it might be compromised, but more so out of concern for the integrity of the data (errors may propagate without getting caught). One respondent noted that they chose their primary bank based in part on it's high rating for security (particularly computer security).

Privacy

Another hot topic was privacy. In particular, users are concerned about the tracking and monitoring that is being performed by both the government and private industry, another provided a more tempered viewpoint.

Two respondents expressed concern that the U.S. Government was engaged in illicit tracking of computer users' web surfing habits. One cited the CBS News article that brought this to their attention. Another respondent who works for the U.S. Government noted that it was made clear to them that their activities in the workplace were being monitored. One respondent was more concerned about the illicit tracking that was being done by commercial entities, such as tracking your spending habits. When I asked one respondent directly what they thought about cookies, they stated that they have to clean out their cookie cache periodically or their browser stops working (Author's note: Humm, I don't think they're being tracked. . .)

One respondent indicated that access to personal, sensitive data was extremely easy to obtain as it's almost entirely available in the public domain (in DMV records for example). Hence there was really no additional risk in storing it on their machine. They indicated that in general they don't feel threatened.

Viruses

In the wake of the ILUVYOU and AnnaKournikova viruses (or worms if you prefer, I won't make the distinction here), I expected that many people would be concerned the risks from these attacks. Interestingly, only one respondent expressed this concern, but it was the first thing they mentioned. They noted that to combat viruses they use an anti-virus tool and that they verify that it's being automatically updated on a regular basis.

Other specific risks

Two other specific risks were cited by respondents that aren't easily classified elsewhere so they've been lumped together here. The first one was a concern expressed by one respondent that most sites configure their databases with poor security, such as weak passwords and the tendency to grant all privileged to all users. The second concern was expressed by another user that someone might take over their machine to use it for their own purposes (they implied that these purposes would be illicit).

Protections

Given that the concern that people expressed, especially for the above risks, we now look at what they're doing to protect themselves. In general, comments on protection mechanisms could be categorized into host-based protections, network-based protections, password usage and encryption usage. We'll now look at each of these.

Protecting their machines

The most frequently cited way that people are protecting their computers is through the use of personal, host based firewall products. Specifically, 5 of the respondents cited the use of one of these products. Another respondent expressed the belief that their cable modem service provider was providing firewalling for their host, although they were considering the purchase of a personal firewall to provide additional protection. Two other respondents expressed that they had considered obtaining a personal firewall, but they found the products to be difficult to understand or frustrating to use. One of the respondents who uses a personal firewall expressed their concern that many personal firewalls don't block outgoing connections that may contain personal information they didn't consent to disclose. They noted that this property was key when they selected the firewall that they use.

Other methods to protect machines including shutting it down when it's not in use, which two respondents claim they do. One respondent noted that they are prohibited from installing their own software on their machines at work, apparently to prevent the machines from becoming infected with viruses or Trojan horses.

The sections on viruses (above) and incidents (below) both provide additional data on host based protections that people have implemented.

Protecting networks and Internet usage

Fewer people expressed that any protections had been put in place to make what goes out over their wires any safer. This is likely because most users don't perceive the two to be separate, especially if their physical network consists of one wire between the wall jack or modem and their computer. One respondent did however note that they have started to make a conscience effort to be more careful what sites they go to and what information they give in forms to websites. Their impetus for this was apparently to curb the amount of spam they receive. The one respondent who did bring up physical networks noted that they implemented a separate physical network for their coworkers who telecommuted through the use of private DSL connections. They did this because they felt it was safer than allowing each of the telecommuters connect to their VPN on top of the telecommuter's wide open Internet connection.

Passwords

Four of the respondents recognized the need for strong passwords and proper password protection. Two of those people noted that most systems don't enforce, or even allow, strong passwords. One of those respondents went on to note that if strong passwords are enforced at a site, they're only used for access to the network services (and not stand-alone hosts or databases), and even when strong passwords are used, they are typically written down and left in an insecure place. Upon a direct inquiry, one respondent revealed that they use a minimal set of weak passwords and all those are stored in a program called Gator (which apparently stores the user's passwords and other personal information on a remote server that's controlled by the company that produces Gator).

Encryption

The comments from respondents concerning encryption focused on encryption of web connections and email messages. Two respondents noted the dangers of plaintext network traffic separate from any particular protocol.

One of the most interesting replies to the survey came from one respondent who claimed to be "basically computer illiterate". The only knowledge they had about computer security was that they installed the 128-bit version of their web browser. Another respondent who has moderate computer knowledge also downloaded the 128-bit encryption just because they understood that it "is much better than 32 or 64-bit encryption." Interested in this, I made a direct inquiry to another respondent who also has moderate computer knowledge. They indicated that they had no idea what 128 bit encryption was in a web browser. I find this discrepancy interesting and worth further investigation.

Email encryption was another hot topic. Four respondents expressed their knowledge about plaintext email and of those, two had tried to use PGP, but were unable to get it to work (see the author's experience, above). Another respondent in response to a direct inquiry indicated that they had no idea that email was as secure as a postcard (their tone indicated that this fact surprised them).

Incidents

or, When protections fail

The book of computer security usually ends up reading like a Shakespearian tragedy. Of our 18 respondents, 4 provided anecdotes about computer incidents, while this number may seem low compared to the CSI's cited number of 85%, note that all of the following either happened in the workplace or as the result of the victim's employ, implying that workplaces are either where most computer incidents take place or at least where they're detected.

Our first story comes from a teacher. They reported that they believed a student of theirs broke into their machine to steal exam material. They were unable to produce any conclusive proof for a formal allegation due to the lack of cooperation from the ISP where the attack appeared to come from. Once they installed a firewall and started storing all school materials off-line, the student's grade suffered for a time (presumably until the student started studying).

Another respondent noted that they believed one of the biggest issues with computer security was the misuse of computers in the workplace, specifically the problems with employees violating policies dealing with incidental personal use. For example, a friend of the respondent is a state employee in a state that bans its employees from using the Internet for any type of personal use. One day the friend left their office for a break, leaving the computer unprotected (no password lock or anything of the sort). When the friend returned they discovered that someone had used the machine in their absence and it had frozen before the perpetrator could return the computer to the state that the victim left it in. Investigation indicated that the computer was used to forward humorous email messages to friends of the perpetrator. The friend did not report the incident because they were afraid of disciplinary action resulting from their receipt of the humorous email in the first place.

Another respondent who deals with sensitive financial information on their computer at work found that someone in the company had tried to access the accounting files on their machine before the computer froze up on them. While a password protected screen saver was installed to prevent future incidents, the respondent recognizes that rebooting the machine easily circumvents the password protection.

One respondent noted that a coworker's attitude changed significant immediately following the compromise of their home system, which they used for telecommuting. The respondent believed that the attacker was using information gathered in the attack to blackmail the employee. The employee subsequently left the company. The respondent noted that there were indications that either the attacker was a knowledgeable outsider to the company (such as a competitor, customer or business partner), or that the employee was being blackmailed due to some improper relationship with such an outsider.

Possible solutions

"If people can't figure out how to change a flat tire, how do you expect them to be able to understand computer security?"

-Survey respondent

While the survey results demonstrate that there are a significant number of people who are aware of computer security issues (at least within the group of respondents), there were still a significant number that weren't or were aware of only certain limited aspects of computer security. We will now briefly examine what can be done to increase awareness and knowledge of computer security. The solutions we look at are ignorance, educational, legal and technical.

Ignorance

The solution of not implementing a solution is based on the adage, "If we ignore it, maybe it'll go away." While that might work for bears, I'm reminded of a Saturday Night Live sketch: "The Bear! How'd it get there?!?" This sentiment sounds very similar to some computer administrators and programmers: "The Security Bug! How'd it get there?!?" While I originally included this for completeness sake (so that all possible general solutions could be presented), it turns out that there are significant arguments both ways for this "solution". We'll start by looking at the pros, then we'll look at the better supported con argument.

There are three considerations for why ignorance might be the best approach. The first is that, given time, today's kids and young adults, who appear to have a superior understanding of computer security (compared to their elders) will eventually represent the majority of network users, administrators and managers, at which time much more sound computer security policies will be made and practices will be followed. Unfortunately, by the nature of this hypothesis, there's no evidence to support this.

The second pro consideration is that the Internet is still very new: it's been used for commercial interests for less than 10 years so far. Given time, it should sort itself out.

The final pro argument was provided by a survey recipient who noted that even if people knew the risks, they wouldn't change their behaviors because habits are too hard to break. The respondent cited the inability of smokers and other drug users as the canonical example of this phenomenon. They thought the correct solution was more technical in that the security mechanisms must be easier to use than the non-secure ones.

The counterpoint to the first argument is that with today's kids growing up in a world where computer insecurities are the norm, they'll just come to expect that computers are insecure and they won't try to change that.

The counterpoint to the second pro argument is that instead of improving over time, the SecurityFocus vulnerability statistics indicate that the number of vulnerabilities in commonly used Internet servers is only increasing. In other words, security is getting worse over time.

The final con argument is not a counterpoint, rather it's a simple observation that ignoring computer security problems in the hope they'll go away is noted by SANS as being one of the worst mistakes that managers make when dealing with computer security.

Educational

The most promising route to improve computer security awareness would seem to be educational. This may happen through the school of hard knocks, a more formal education, on the job training, mass media or a grass-roots movement.

Learning the hard way

The first educational method is learning it the hard way, also known as the school of hard knocks. The premise of this approach is that any company or individual that suffers significant losses (most likely monetary) due to poor computer security isn't likely to make the same mistake twice. The anecdote above about from the respondent whose coworker was possibly blackmailed comes from the same respondent who implemented the physically separate network for all telecommuting employees. Even though that network cost tens of thousands of dollars, the respondent's manager had no trouble approving it after the incident.

Formal Education

Formal education can take place at numerous levels. While I had originally only considered computer security education at the secondary school at collegiate levels, survey respondents suggested that grade school and post graduate classes would also be effective, so we'll look at all four.

Grade school

The respondent who originally proposed teaching computer security to grade school students thought that it would be effective because young children have a much easier time picking up abstract concepts, such as those associated with computing. Once the children learn how to secure their computers, they can pass this knowledge onto their parents, as this is already how many parents learn everything they know about computers. While the aspect about the children teaching their parents computer security hasn't been established, the ability to teach computer security (with a particular emphasis on ethics) to children as young as the third grade is already being done by Louis M. Numkin. While there is no quantitative measure of the effectiveness of this program, he was able to engage the classes to produce posters about computer ethics. Further circumstantial evidence is provided by this Intel whitepaper that addresses computer security in schools. It notes that one of the risks in such an environment is the students (who are clever and inquisitive), implying that computer security (or ethics) education even at their young age is necessary.

Secondary education

Many people receive their only formal computer education at the secondary school level. Considering this, that seems like an ideal time to make them aware of computer security issues. This fact has been recognized by the U.S. Critical Infrastructure Assurance Office such that they're creating a high school outreach plan. As it has not been implemented yet, it's effectiveness has not yet been determined.

Collegiate education

While the ability to reach students in a similar manner to secondary school students (particularly mandatory classes) continues at the collegiate level, two new aspects arise that may be particularly beneficial. First, the computing needs of students rise and those students are typically more dependent on the school for their computing needs (hence, enforcement of the school's security policy can help the students develop good security habits). The second aspect is the matriculation of professionals who will be working in the various computing fields. It is vitally important that we reach this latter class not only because they will use computers significantly more than the general populace, but because they are the ones who will be guiding site security policies and implementing systems with security implications in the future. From the author's personal experience, I received my B.S. in Computer Science from Purdue in 1997. During my 4 years there I was never required to take any classes on software security or reliability despite the fact that Purdue is home to the COAST lab (now CERIAS), in fact Purdue's class offerings for undergraduates in those areas at the time were rather slim. Everything I learned about computer security and secure programming practices was outside any of my courses. If my experience is typical of someone who went to one of the premiere schools for computer security, is it really any wonder that the world is still plagued with buffer overflow bugs?

Post-graduate education

One respondent wanted to take a class on better (including safer) Internet usage at the local community college. Unfortunately, they discovered that all of the classes offered are either too simple ("Here's how to use a mouse. . .") or too advanced ("and that dereferences the array. . ."). The respondent is considering paying a local computer shop $40 - $50 per hour for customized training.

On the job training

Considering that it appears that businesses and the government have the most to loose from being connected to the Internet, it makes sense that they should make the biggest effort to train their employees on computer security issues. It appears that this is actually the case, considering that there are companies devoted solely to this market such as Security Awareness, Inc. SANS has a write up on what a good computer security awareness course could or should cover. As with all the other methods, there seemed to be a lack of any hard data for the effectiveness of these classes, although given their wide deployment I would propose that collecting data on how much these programs improve security at a given site should be much easier to obtain (the main problem with this approach is that sites probably don't start keeping good figures on security incidents until after such training is completed).

Mass-media

Perhaps the most effective way to reach the widest possible audience at once is through the use of mass media, such as newspapers, radio, television and popular web sites. This may be done either through public service announcements or through news reporting. I had not originally considered including the web because there's already a wealth of information on computer security information there that most people never see. Then one of the survey respondents noted that if something that seemed to be important (such as some sort of computer security announcement) appeared on their browser's home page (such as msn.com or netscape.com), they were inclined to read it. This approach may be particularly effective because it's directed at the target audience: users connected to the Internet (especially those who don't change the home page in their browser).

The first approach that can utilize the mass media is public service announcements. It seems that the most effective way to leverage this medium is through a scare campaign. If we paint a worst case scenario, people will probably respond. I envision something like the ad campaigns for traveler's cheques: "Help! I'm in a foreign country and somebody stole my wallet with all my cash in it!" In discussions with survey respondents and others, some specific ideas have emerged (both of which are video centric):

  1. Start with an image of a nice desk with someone's credit cards, cash, stocks, SSN card, passport, personal mail, bills, jewelry, cell phone, etc on it. Start to pan out to show the desk in a nice home office. The pan continues to show a nice middle American home with a manicured lawn and a white picket fence, all bright and cheery. The pan continues out to show everything beyond, all dark and dirty - a stereotypical ghetto or urban wasteland type scene with run down apartment buildings, burning cars, gun shots in the distance, etc. Then the trusty sounding voice over: "Welcome to the Internet. Hope you have good locks."
  2. Show a computer at home all alone, HD light blinking. The voice over asks, "It's seven o'clock, do you know where has your computer has been?" Cut to German guy in his 20's who's dressed in black jeans and a black turtleneck in a dank under-furnished room with a computer in the background. He says in German with subtitles, "I do." Repeat with two other people of other nationalities, for example Russian, Israeli and/or Chinese. I single out these countries not to demean them, but because they're excellent examples of countries that are well "wired", have a significant population of technically excellent people and whose culture is foreign enough to America as to represent a threat to the average American. Even in today's world economy, people still retain a strong national sentiment, with a fear of that which seems foreign. This campaign would play right off that fear. Likewise, if this ad were targeted towards an audience in one of those countries, it could use the image of an American hacker.

Obviously this approach would be expensive, especially if we want the spots to look professionally done and get them aired during prime-time programming. The funds to do this could come from either the public sector (such as the National Ad Council) or through private sector sponsorship (if NAI can afford a stadium, they should be able to afford a public awareness campaign that should cause a rather quick increase in their sales).

The other way that mass media can be leveraged is though more coverage of computer security issues by the popular press. The effectiveness of this approach was demonstrated by one survey respondent (who is a rather non-technical person), whose entire response consisted of their concern over the use of cookies for illicit monitoring purposes. This concern was raised by a CBS News article printed approximately three weeks before the survey response was sent. Similarly, there was a flap in the popular press (as reported on CNN and numerous web sites, such as this CNet article) in late March of this year in response to a report from the Privacy Foundation about privacy concerns over the use of the TiVo personal television service. In actuality, the Privacy Foundation's report didn't contain anything that wasn't already disclosed on TiVo's website, but for any number of reasons (the story seemed sensational, the Privacy Foundation has an excellent press office or it was just a slow news day) the story got a lot of press coverage.

Grass roots movement

The last method we look at to educate computer users on issues surrounding computer security is other computer users. Instead of setting a computer security curriculum in place in schools everywhere, we convince all our friends, family members & coworkers of the importance of computer security and what they can do to protect themselves. In the process we should be able to convince some of them to do the same and start a chain reaction going. We can try to enlist the help of ISPs by getting them to mail computer security awareness brochures to all new customers and convince them to implement better upstream controls, such as ingress and egress filtering.

[Spaf] has a list of what end-users can do to improve computer security in general:

  1. Demand assurance, not features
  2. Use a greater diversity of systems
  3. Consider security from the start
  4. Understand and follow policy (or fix it if it's poor)
  5. Consider the uses of technology: don't do something just because we can.

Legal

There has been much speculation that the most effective solution to poor computer security may come from legal channels, for example culpable negligence lawsuits or more laws regulating software engineering or computer use. We will look at each of these along with why they will probably not be effective and also look at current legal positioning and how it's not helping (and may even be counter productive to solving) the problem.

Numerous sources have hypothesized that a site whose unsecured machines are used to attack other machines may be libel of culpable negligence. It is even mentioned in passing in RFC2196, the Site Security Handbook. Despite this, this author was unable to find any evidence that this has ever been attempted, or even that it's a legally sound position (that is to say I couldn't find any legal sources such as a law review article that supported this position). There is even circumstantial evidence to the contrary considering that the February 2000 DDoS attacks (which were performed from machines that weren't properly secured) reportedly caused more than US$1 Billion in damage, one would think that the victims would have taken action against at least some of the larger sites where the attacks originated from (such as a couple of the University of California campuses), if not for restitution for damages, then at least to see that those sites took steps to prevent the same from happening again.

Another possible legal channel is for the creation of laws that require stricter software engineering, particularly for security. These laws would probably not detail the construction of software no more than laws detail exactly how bridges should be built. Instead they would likely set forth requirements that software development projects (at least for any software whose safety and security is in the general public interest, for example general purpose operating systems) be lead by a licensed professional, such as a Professional Engineer. Indeed, some jurisdictions such as Texas and Canada have all ready begun licensing professional software engineers. Other jurisdictions have been slow to adopt formal licensing of software engineers (some have been waiting for professional groups such as ACM and IEEE-CS to develop more formal engineering guidelines). Instead they've been relying on the development of life critical systems being led by someone who is "criminally libel unto themselves", which may be a PE, a doctor, or someone else who is recognized as an expert in their field. The key phrase there is "life critical", meaning there's no criminal liability just because they build a system that allows an attacker to break in and empty your bank account. However, given the increasing dependence of our critical infrastructure and military defense systems on commercial software, this caveat doesn't seem to be overly limiting. Even in the absence of criminal liability, there is a growing corpus of lawsuits over computer problems, most of which are breach of contract type suits (such as when a computer system doesn't perform as specified in the contract). Given this, one possible remedy would be to make the desired level of security a line item on any contract to acquire a computer system.

Something that this author has not seen proposed elsewhere is the idea of using laws to regulate computer use. This would certainly not a popular idea in the land of the free, as it would probably be seen as the work of a authoritarian government, similar to Chinese laws. Instead what I'm proposing is something like a driver's license. I don't care for this metaphor very much, but it seems very apropos: You should have a license before driving on the Information Superhighway. A law that required anyone connecting to the Internet to pass a simple 20-question test written exam (which would include items about computer security) would go a long way towards improving computer security awareness. I don't think this would be too effective though simply because there would be too much resistance to such laws being passed in the first place (and rightly so in this author's opinion).

While it's interesting to speculate on laws that will improve security, the current trend is towards laws that are more counterproductive to computer security, like UCITA and the DCMA. These laws reduce any incentive (for example, avoiding lawsuits) manufacturers have to produce systems without security flaws as well as making legitimate reverse engineering of systems for the purpose of protecting oneself or doing security research illegal [Spaf]. This author can't help but make the observation that when reverse engineering is criminal, only the criminals will reverse engineer.

Finally, some people might think that the easy solution is just to pass more laws against unauthorized computer use. Unfortunately, this will do little to help as law enforcement is not equipped to handle the high volume of computer crime that's being reported already, much less any more. Instead, we need more informed users and less security bugs in the software we use.

Technical

This section is somewhat contradictory, since we're talking about the failure of users to be aware of computer security issues and defend themselves appropriately. However, much of this problem (as detailed in section 1 above) comes from the failure of the system developers to produce systems that are secure by default and easy for the user to maintain in a secure state. Much of the burden that's currently placed on users is due to technological shortcomings. Considering that computer scientists and engineers tend to be more aware of the computer security problem, these solutions may well be the ones that are most likely to get implemented. Since we've already discussed most of these in the Problem section above, I'll just present these recommendations in laundry list fashion.

  1. Use better software engineering practices to eliminate and prevent the reintroduction of common security flaws such as buffer overflows. This is the approach taken by OpenBSD which claims, "Four years without a remote hole in the default install!" This should also reduce the burden on users to patch their systems. Additionally, it should improve the reliability of the systems allowing the user to more easily correlate irregular system behavior with an intrusion.
  2. Include replacements for insecure protocols with ones that were designed with security in mind (for example IPv6). Make the transition between the two simple.
  3. Make the default install of a system secure and make the user only turn on what they need.
  4. Build systems such that they're easier to recover from attacks (or other incidents that produce downtime)
  5. Make strong authentication easier, most likely though the use of authentication tokens such as one time password devices or USB keys.
  6. Include the ability to detect and respond to malicious use on systems by default, make it easy enough for an adult to use, and make it hard for them to do the wrong thing (like allow a malicious connection).
  7. Make existing security mechanisms easier to use.

Conclusions and future directions

This paper has looked at why everyone should be concerned about computer security, the results of an informal survey about the general awareness surrounding computer security issues and possible ways to improve computer security awareness.

Many of the reasons for securing systems are based on speculation and a small body of anecdotal evidence. This fact lends credence to origin of the problem being rooted in a faulty knowledge base as cited by one respondent. Additional research in this area should be conducted to answer at least the following:

  1. What percentage of machines that are used to attack other machines does the attacker have legitimate access to (at least for those machines for which this can be determined which is probably actually a minority of those machines from which attacks originate)?
  2. Of the compromised machines that are used to attack other machines (as noted above), what percent of those do so though a trust relationship?
  3. What percentage of compromised machines are used by the attacker to serve data to others, and of those what percent are used for:
    1. Hacking tools
    2. Pirated software
    3. Child pornography
    4. Other pornography (other than perhaps a couple explicit images on a defaced webpage)
    5. Other illicit or illegal material
  4. Given the current criminal and civil code, what liability does a user have if their machine is compromised and used for illicit or illegal purposes, such as the serving of illegal material or compromising other machines?
  5. What percentage of users have impostors spoof email that appears to come from them? Is any particular class of users (professors, corporate executives, etc) at risk?
  6. What percentage of users have had attackers use their accounts to masquerade as them? Is any particular class of users (professors, corporate executives, etc) at risk?
  7. What percentage of attacks come from insiders and what percentage of the damage do they cause?
  8. What are the issues with consumers separating hype from reality in the computer security arena? How big is the problem? Are consumers aware it's a problem? How much does it lead to consumer confusion?

Many users aware that there are issues with computer security, but not aware of what they are. Awareness about what the issues are is proportional to the overall level of computer knowledge of the respondents, concern is not: some respondents with less knowledge of what the issues were at least understood the risks and were much more careful in their usage practices, in contrast with some more knowledgeable respondents who seemed more indifferent than concerned about security.

Given the results of this survey, it should be possible to format and conduct a more formal survey. This should be done so that we, as computer security professionals, have solid evidence for where our education efforts need to be focused.

Many promising (and not so promising) ideas for improving computer security were presented. The author would like to see support (either at a corporate or a government level) for some of those ideas to be tested and for testing of the programs that are already in place. Testing would simply consist of testing the awareness and knowledge levels of the students/audience both before and after such that the effectiveness of the programs can be determined. Specifically:

  1. What is the effectiveness of Mr. Numkin's computer ethics / security education on the 3rd graders he teaches?
  2. What is the effectiveness of CIAO's high school outreach plan?
  3. More colleges should implement computer security awareness into their general computer courses and test their effectiveness.
  4. College that teach professional computer courses (such as to computer scientists and engineers) should include mandatory classes on software engineering and designing systems to be secure.
  5. Community colleges and other continuing education programs should offer classes on advanced computer usage including safe & secure computing which focus on system usage (not design and development).
  6. What is the effectiveness of the on the job computer security awareness training that's done?
  7. Have the major Internet portal sites such as netscape.com and msn.com place more news and information on its homepage concerning computer security and survey for its effectiveness (this could conveniently be done on the web as well).
  8. Develop and air the proposed public service spots (or similar ones) and do surveys to determine their effectiveness.
  9. Test the effectiveness of the news media / popular press to convey computer security issues and information.
  10. Make sure that the desired level of security and reliability is a line item in the procurement of any computer system.
  11. Strike down the provisions of the DCMA which would hinder people from doing computer security research or from securing their machines.
  12. Prevent or overturn the passage of UCITA.
  13. Finally, as I dug deeper into the research, the finding of both the lack of hard evidence supporting just how bad computer security is today and the sheer number of sites devoted to doling out computer security advice to the masses has picked me up out of my apathy to once again give me hope that computer security, given the proper exposure to the general population, can be made manageable.

    Acknowledgements & references

    I would like to express my gratitude to the following people for their informal survey feedback via personal correspondence: Susan Brugger, Ronald Brugger, Todd Burgette, Camilla Cripps, Christopher da Silva, Stacy Dolson, Jill Dunne, Trent Eggleston, Tanya Gilham, Jane Kuter Karen Persons, Karl Persons, Kris Persons, Tammy Roust, Michal Rumsey, Darren Shu and 2 others who wish to remain anonymous. I have not attributed statements made with specific people out of respect for their privacy.

    I would also like to thank Dr. Gene Spafford, both for the copy of his presentation and for originally piquing my awareness of computer security issues.

    1. [Spaf] Spafford, Gene, Presentation at Lawrence Livermore National Lab, May 9, 2001
    2. [Whitten] Alma Whitten and J.D. Tygar. Usability of Security: A Case Study. Carnegie Mellon University School of Computer Science Technical Report CMU-CS-98-155, December 1998.