NEW YORK -- When it comes to cybersecurity, the largest single threat to corporate and government networks is, according to some experts, customers' own risky behavior. It was certainly the assessment of a handful of Internet security and software luminaries gathered in New York City at a cybersecurity roundtable earlier this week. With new breaches in the news, and cybersecurity bills on the verge of enaction, the panel convened at a timely moment.
Yet for all the vast amount of technological resources available to those on the panel--which included representatives from payment processor ADP, software players, including Microsoft, and security vendors, including industry leaders McAfee and Symantec--the security issue, in many cases, still remains a people problem.
"We cannot assume that users know how to protect themselves online," said Roland Cloutier, Chief Security Officer (CSO) of ADP (NASDAQ: ADP).
Customers need to change passwords and keep their patches up-to-date, and far too many fail to do so, said Michael Kaiser, executive director of the National Cyber Security Alliance (NCSA), which convened the roundtable discussion. For instance, more than 1 million computers are still infected with Conficker, a problem for which their exists a simple downloadable solution, according to Adam Palmer, Symantec (NASDAQ: SYMC) cyber security advisor.
"Many PCs scan infrequently and many users have security software that's at least a week out of date if they have updated their subscription," added David Marcus, security communications manager for McAfee Labs (NYSE: MFE).
These risks are compounded when enterprises adopt the latest cloud and virtualization technologies, ADP's Cloutier said.
But can the consumer be expected to protect his or her own computer? The level of awareness of cyber security issues is far below that of public health; for example, the NCSA's Kaiser noted that there are no cyber security posters in school computer labs touting the need for secure passwords and regular patch updates. But his group is working to fix that, having built free resources at staysafeonline.org.
Dealing with disclosure
Of course, software providers have responsibilities, too. Attendees called for responsible disclosure by security researchers of software and website vulnerabilities, but while companies are willing to admit that there are problems with code and with websites, in many cases they still prefer to be given time to fix the problem before it is made public.
Other factors complicate disclosure. Many companies may be dealing with this problem for the first time, and they may not do so well. Procedures for handling security researchers' reports aren't available in the company handbook -- though best practices for vulnerability disclosure can be found online, Cushman added.
Meanwhile, some security researchers still believe, on the basis of past experience, that few companies will be unwilling to acknowledge, let alone solve, problems that security researchers discover.
"Those days are over," McAfee's Marcus said.
As a result, when a security researcher (or white-hat hacker) contacts a company to report an issue, it's important to talk to the researcher to make sure that the customer's security is a goal that the company and the researcher have in common, according to Andrew Cushman, Microsoft (NASDAQ: MSFT) director of trustworthy computing and host of the roundtable.
The CSOs of government agencies understand the issue too, according to Rick Doten, chief scientist at Lockheed Martin's Center for Cyber Security Innovation.
Nevertheless, the tension between white-hat hackers, who need to be the first to report a vulnerability to obtain credit for discovering it, and companies, which have an intensive code review process and a set patch release schedule, will continue, Marcus added.
But this is a problem the industry can handle, panelists agreed.
Customer education, on the other hand, is more complex, but may require simply posting a note on a former scam page that says, "The link you just clicked on was a phishing scam, but has been taken down." This could deliver a visceral security experience that no computer-room poster from the IT department can fully convey, and it's a strategy that's already being used, said the NCSA's Kaiser.
He added that as processes improve, there is plenty of reason for optimism.
Symantec's Palmer had another reason for optimism: "Ten years ago, I prosecuted a case where the judge stopped me to ask what a website was. I doubt that would happen today."