Call to stop blaming the users -- make software more secure

From: Keith Parris (keithparris_NOSPAM_at_yahoo.com)
Date: 07/10/04 

Date: 9 Jul 2004 16:02:09 -0700

It's interesting to see that some of the most-recent attacks on the
Windows platform don't involve the user doing anything "wrong" -- they
can attack a Windows system that is merely connected to the Internet
(or, in another recent example, even when the user is doing nothing to
do with e-mail and simply happens to use IE to view a website that has
been successfully attacked).

For a long time, in the VMS world, we've been saying that the software
itself is the problem, not the user, and that security has to be
designed in from scratch, not patched on later. It seems some are now
starting to come around to this viewpoint.

I particularly enjoyed this article from eSecurityPlanet.com:
http://www.esecurityplanet.com/views/article.php/3377201

"Blaming Users for Virus Chaos?
By Kenneth van Wyk
July 6, 2004

A common rallying cry heard around IT Security departments is the need
for more security awareness training for corporate users.

This cry seems to resurface every time a new email-borne virus comes
out that dupes our users into clicking on an attachment and infecting
their PCs. The IT security team invariably finds itself shocked that
users could be so easily fooled into clicking on that attachment.
...
But is it really (or only) users who are at fault? I say that there's
plenty of blame to go around. And more awareness training will not fix
the problem. ...

After all, the email client didn't seem to complain when the users
clicked on the attachment, which was delivered to users' desktops via
the corporate email servers. Why didn't the email servers stop the
virus? Why didn't the desktop anti-virus program stop the virus? Why
did the email client allow the new code, in the form of an email
attachment, to run just because the user clicked on it?

These are not problems that can be solved with user awareness
training.
...
There's plenty of culpability to go around, and user awareness
training is simply passing the buck, so that fundamental flaws in our
popular software don't get exploited quite so often -- at least, in
theory.
...
So, you ask, if we can't count on our users to always make the right
choice, how can we possibly defend ourselves against new viruses and
other nasties that come along?

Like so many things in the world of security, we have to practice
defense in depth. User awareness training is just one of the many
defensive layers that we need to ensure are in place. Other layers are
vital as well, though. Most IT organizations are familiar with the
perimeter layer -- the firewalls, DMZs, and so forth.

To date, however, nowhere near enough attention has been paid to the
innermost layer -- our software security. ... It starts at the
earliest phases of an application's {or operating system's --KP} life
cycle, at the architectural and design levels. That's to say that
we've got to get serious about fielding software that protects our
users."

OpenVMS is such software. There have been days when while the latest
attack is underway, I'll just fire up Mozilla, etc. on my VMS system
and continue to do useful work and simply wait until things die down
before trying to connect my Windows laptop to the network.

Relevant Pages