Shark Bait

Knowledge Centers

Operating Systems

Networking & Internet

Mobile & Wireless

Security

Storage

Business Intelligence

Servers & Data Center

Computerworld Reports

Industry

See your link here

Michael R. Farnum

Hitting the Security Nerve

Grassroots security - securing where it really counts

3 comments

IT TOPICS:Internet, Security

We've all heard the the term "grassroots" in politics, but what exactly does that mean? It means getting in touch with and involving the people. So, grassroots security would be an effort in the security industry of getting the common people involved in security.

But to many security professionals, this is a foreign concept. So many security professionals focus their efforts towards talking to other security professionals and helping corporations figure out how to secure their networks. They don't want to deal with common home users because it often feels beneath them and because they mistakenly feel like the corporate world is where security should be focused (and to be honest, they know that is generally where the money is to be made). But if we are going to make us all more secure, we have to think about security from the aspect of where most of the security issues are and what enables the bad guys to do the bad things they do.

What am I talking about? Well, let's look at two of the top security problems we face today: spam and phishing. These two issues are almost exclusively propogated via botnets that are comprised of thousands and thousands of compromised machines on the Internet. But do you know types of computers mostly make up botnets? Purchased servers on foreign soil? Used to be, but not anymore. Corporate computers and servers? Nope. Educational institutions? No way. Home computers attached to broadband Internet links? You got it.

These types of computers are notoriously insecure. We know all the common problems:

No firewall
Anti-malware software not installed
Anti-malware software turned off because it caused so many problems
Kids surfing to all kinds of crazy websites with embedded malicious code
Ignoring warnings from Windows about installing software when they go to websites
Etc., etc., etc.

All this consequently leads to home PC's making up the biggest population of zombies. And it also essentially means that users are uneducated (not stupid) about security. They don't know what causes these problems, and they don't know how to fix them. And ignorance of an issue such as this joined with the higher power of computers and cheap high speeds of Internet connections is very dangerous to the security of the Internet.

Our job is to help them become educated. Our task is to swallow our pride and work with the grassroots of society. They are the unwitting allies of spammers, phishers, and other bad guys. They are the unknowing underpinning of this evil empire. These problems would not exist on the current scale if the regular Joe or Jane user knew how to fix their security problems. And if they knew they were contributing to the security of the Internet as a whole versus just protecting their own butts, then they might be even more motivated.

I am starting to write more about this on my personal blog, but basically, education, not avoidance, is the key. We have to hit the problem where the problem starts. If you are a security professional, don't be too proud. Take some time to invest in the user. That will make a real difference in security as a whole.

Email this

Digg this

What People Are Saying

Add new comment

I see two areas where

Submitted by jbl on March 7, 2007 - 1:39 P.M.

I see two areas where education of end users at home is essential. One is covered in the blog posting: how to prevent infection of the user's computer and how to recognize and cure such infection as have may already happened.

The other, discussed in the above comment, is how to avoid being scammed by bad guys on the net. Part of this is how to recognize a scam, be it phishing or otherwise. Sometimes this involves recognizing a forged email and sometimes recognizing a forged web site. These can be hard. Better is learning practices that avoid scams, including never clicking on anything in email or using bookmarks. (I don't know what one does about DNS attacks, except for bankers and merchants coming up with ways to authenticate sessions and transactions. MitM attacks are avoidable if they are initiated through phishing or other spam.)

A related area of education for the end user is the general untrustworthiness of anything that comes via spam, regardless of the content. If no one ever replied to a spam or phish email, it would no longer serve anyone's purpose to generate it. (Unfortunately the cost of spamming is so low, that even one response in 500,000 spams -- that number is a total WAG on my part -- generates enough profit to pay for the spamming.)

Reply | Report this comment

Mr. Mirkin, Bookmarks are a

Submitted by Michael R. Farnum on March 7, 2007 - 10:56 A.M.

Mr. Mirkin,

Bookmarks are a defense in simple phishing emails that try to direct you to a false site by using false links. However, you are completely discounting man-in-the-middle attacks or DNS cache poisoning where browser bookmarks are no defense at all. Having the training to be able to pick up on nuances of a fake site is invaluable in these instances.

Michael R. Farnum

Better to be despised for too anxious apprehensions than ruined by too confident a security.
Edmund Burke (1729 - 1797)

Reply | Report this comment

If people would bookmark

Submitted by Howard Mirkin on March 7, 2007 - 12:56 A.M.

If people would bookmark (add to favorites) the sites where they conduct financial transactions and only use those bookmarks instead of clicking, they would not get phished. I wish the security professionals would stop telling us about fake web sites and fake emails and focus on telling us how to get safely to the web sites. Let's start Focusing on Real, not Fake.

Reply | Report this comment

Google Dashboard: Convenient, useful, but no big deal

Web filtering internationally, part 1: China

Spam culture, part 3: Nigeria (and 419 scams)

Obama Drupal-ing around; whitehouse.gov goes open source

LIVE Nov 10, 2009 12:00 PM ET

Architecting Business Intelligence Applications for Change: The Open Solution

LIVE Nov 12, 2009 02:00 PM ET

Forrester Consulting - Optimizing Users and Applications in a Mobile World
Learn how to successfully deploy a WAN optimization solution that is specifically tuned for a mobile environment!

Top to Bottom Performance Management Excellence at the City of Chicago
View now.

Faster, Cheaper and Easier to Maintain
Can you afford not to upgrade your servers to today's advanced, energy-efficient technologies?

Effectively Implementing Datacenter Automation
Effectively select and deploy the best datacenter automation solution today!

The State of PCI DSS Compliance at Organizations Today
Download this resource today!

Aligning IT to Business: The Rising Importance of Application Delivery Networks
Application Delivery Networking (ADN) will play a vital role in helping enterprises incorporate strategic technologies to achieve business initiatives.

All White Papers | All Webcasts

Computerworld Reports

8 Questions To Ask About Your Intrusion-Security Solution

Computerworld Technology Briefings IT Service Management

Computerworld Briefing - Analytics: The Art and Science of Better

All Computerworld Reports

Receive the latest technology news and information.

	Computerworld Daily News (First Look and Wrap-Up)
	Computerworld Blogs Newsletter
	The Weekly Top 10

View all newsletters

* E-mail Address:

* Industry:

* Job Title:

* Company Size:

* Country:

* State:

I would like to receive offers via e-mail from Computerworld partners.

Michael R. Farnum's Archive

IT Topics

Sponsored Links

Play NetApp's New Data Defense Game.

How Do You Rank as an Innovation Leader? Download Recent Study.

Play NetApp's New Data Defense Game.

Extraordinary times demand Brocade Extraordinary Networks.

No Payments for Up to 6 Months on Orders over $500.

NetScaler VPX : Harness the Power of Virtualized Web App Delivery

64-page prescriptive guide to security, compliance, and IT operations.

Streamline IT Costs. Boost Performance with WAN Optimization

Enterprise Network & Server Monitoring Software. Cross over to Traverse...

Keep your IT expertise up to date. Join the Intel Premier IT Professionals.

Crystal Reports Server: More options. Not more money.

Parallelism is not just for HPC. Create rich apps from desktop to device. Get the eval.

Tolly Performance Report "Citrix NetScaler with nCore Outperforms F5 BIG-IP"

Save up to 61% plus Free Cheesecake

Find IT jobs in the Healthcare industry on Dice.com

With the NEW KODAK i700 Series Scanners get full speed at 300dpi!

Not All QSAs Are Created Equal: What You Should Know Before You Buy

The arrival of Serial Attached SCSI (SAS) marks a new era in storage scalability

The AMD Virtual Experience Virtual Trade Show

New DW Options and Price Points. View Teradata Platform Family Data Sheet.

See how AT&T can help protect your network.

3 Innovations. 3 Free Downloads. Free trials of Windows 7, Windows Server 2008 R2 and Exchange Server 2010.

Take the Netezza TwinFin TestDrive!

Citrix NetScaler with nCore Outperforms F5 BIG-IP - Learn More

New Analytical Platform Options. Download Data Sheet and More.

Get more enterprise mobility value for up to 25% less.

Unified Communications: Thoughts, Strategies and Predictions. Join the discussion.

NYUs M.S. in Management and Systems. Offered Online and On-site.

Increase UPS efficiency without sacrificing protection

Crystal Reports Server: Single server access to reports & dashboards

Create new opportunities. See business making progress now

ESET NOD32 with ThreatSense(R) - Get your free trial now!

Looking to add Unix/Linux functionality to Windows?

Join the conversation about the hottest IT trends with Computerworld on Twitter.

ITwhitepapers.com - Access thousands of white papers on 300+ technical topics.

Leverage Your Cisco infrastructure for Superior Application Performance

Learn about the AMD Virtual Experience

Introducing: Project Icebreaker

About Us Advertise Contacts Editorial Calendar Help Desk Jobs at IDG Privacy Policy Reprints Site Map

CIO

Computerworld

CSO

DEMO

GamePro

Games.net

IDC

IDG

IDG Connect

IDG Knowledge Hub

IDG TechNetwork

IDG Ventures

IDG.net

InfoWorld

ITwhitepapers

ITworld

JavaWorld

LinuxWorld

Macworld

Network World

PC World

The Industry Standard

Copyright © 1994 - 2009 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of
Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.

Grassroots security - securing where it really counts

What People Are Saying

I see two areas where

Mr. Mirkin, Bookmarks are a

If people would bookmark

Related Posts

Today's Top Stories

Hot Posts

Recent Comments

White Papers & Webcasts

Computerworld Reports

Newsletters

Michael R. Farnum's Archive

IT Topics

Sponsored Links