Blaming Users for Virus Chaos?
Columnist Ken van Wyk takes a look at our tendancy to blame users for being duped -- continually -- into opening attachments and infecting the network. But are users really the only ones to blame?
This cry seems to resurface every time a new email-borne virus comes out that dupes our users into clicking on an attachment and infecting their PCs. The IT security team invariably finds itself shocked that users could be so easily fooled into clicking on that attachment.
They're blaming users for not knowing any better.
But is it really (or only) users who are at fault? I say that there's plenty of blame to go around. And more awareness training will not fix the problem. Oh, I think user awareness training is a good thing, but let's be realistic about what we can reasonably expect it to accomplish.
After all, the email client didn't seem to complain when the users clicked on the attachment, which was delivered to users' desktops via the corporate email servers. Why didn't the email servers stop the virus? Why didn't the desktop anti-virus program stop the virus? Why did the email client allow the new code, in the form of an email attachment, to run just because the user clicked on it?
These are not problems that can be solved with user awareness training. The acid test, of course, is whether or not user awareness training will prevent the same sort of thing from happening again. If the result of that test is that it won't, then what can we reasonably expect a user security awareness training program to accomplish?
Let's first look at the problem from the user's perspective for a moment.
It's all too easy to look back at the virus du jour and laugh at how foolish users were for having fallen for the latest malware trick in the first place. Each user that fell for it probably thought it was perfectly reasonable to click on the email attachment. In their minds, it was the right thing to do at the time. Of course, moments later it became clear that that wasn't the case. But at the time, it sure seemed to be.
Now, if you talk to software developers, you're likely to hear them claim that it's impossible to protect users from ''their own stupidity''.
From the developers' perspective, they're building software to meet functionality requirements that were thrust upon them -- perhaps by the product marketing folks, but almost certainly by people who didn't sufficiently think through the security ramifications of their design decisions. It's quite easy to let security principles slip through without being caught in the design or implementation phase of, say, an email client.
Greg Hoglund and Gary McGraw talk about the trinity of trouble -- extensibility, complexity, and connectivity -- in their book, Exploiting Software. In much of today's desktop software, all three of these attributes are present in abundance.
In fact, if they weren't present, then it's likely that we wouldn't buy the software to begin with. The fact is that we've grown accustomed to clicking on email attachments to read documents and perform other useful functions.
That is to say it's not entirely users' fault for making these ''bad'' decisions. There's plenty of culpability to go around, and user awareness training is simply passing the buck, so that fundamental flaws in our popular software don't get exploited quite so often -- at least, in theory.
As I said above, user awareness training is a fine practice that shouldn't be abandoned. Users are our first defense against security problems, and they should certainly be educated on how to spot security problems and who to report them to. By all means, teach your users to be wary of incoming email attachments. Teach them to keep their anti-virus software up to date, and their firewall software locked down tight.
Do not, however, be shocked when they make the ''wrong'' choice.
So, you ask, if we can't count on our users to always make the right choice, how can we possibly defend ourselves against new viruses and other nasties that come along?
Like so many things in the world of security, we have to practice defense in depth. User awareness training is just one of the many defensive layers that we need to ensure are in place. Other layers are vital as well, though. Most IT organizations are familiar with the perimeter layer -- the firewalls, DMZs, and so forth.
To date, however, nowhere near enough attention has been paid to the innermost layer -- our software security. While a discussion of software security is the topic for a later column, for now understand that it starts at the earliest phases of an application's life cycle, at the architectural and design levels. That's to say that we've got to get serious about fielding software that protects our users when they make decisions that we believe aren't the wisest.
Let's keep our expectations firmly planted on terra firma with regards to what we can accomplish with even the best user awareness training program.
Kenneth van Wyk, a 19-year veteran of IT security, is the prinicpal consultant for KRvW Associates, LLC. The co-author of two security-related books, he has worked at CERT, as well as at the U.S. Department of Defense.