September 15th, 2008 by Igor Pankov
Introduction
Over the summer, I started thinking about why people think about security the way they do, and what might be causing people to make elementary mistakes when securing their computers. I’m not talking about the choice of products or the measures they take to keep their computers secure, but rather what is fundamentally flawed in the way they think about security. As I found out during conversations with people as I travelled around Europe, most users’ security knowledge is far from what I, as a so-called ’security expert’, might consider adequate. As I delved deeper into the subject, I discovered that quite a large number of users have completely wrong ideas and misconceptions about how to tackle security issues. These conversations prompted me to write this article in an attempt to correct the most common myths and misconceptions.
Myth #1:
I will be perfectly safe if I get the best security software and keep it up-to-date, – that’s all I need to do
It’s true that use of reliable software to shore up your computer’s defenses is vital, but before that comes careful and intelligent use of your computer to prevent security incidents in the first place. It is a truism that the weakest element in the security chain is the computer user himself. In my view, relying on security software alone is like relying on car’s crash test results to ensure that you’ll be unscathed after a major wreck. But I think we would all agree that it’s better to drive safely, wear a seatbelt, and obey the speed limit. The same applies to security: you need all the safety systems, but if you don’t adhere to basic standards of safe conduct, you put your computer at unnecessary risk. So think before you open unknown files or email attachments, or react to spam and phishing attempts – these are most likely designed to undermine your security. Also, don’t forget to install latest Windows and programs updates to keep you safe from known vulnerabilities found in vendors’ products. Remember, no matter how strong your preferred security program is, it will have one of the following weaknesses:
- Your anti-virus can’t recognize every virus in existence and is consequently not equipped to provide complete protection. A variety of factors contribute to this, including reliance on virus signatures and heuristics — based instruments — that struggle with the detection of different and ever-changing virus behaviors.
- Your firewall or HIPS may have one or more of the following weaknesses. Both MAY exhibit delayed reactions to a security incident. Both can sometimes miss an unwanted/illegitimate operation simply because these solutions cannot detect every possible type of system/network operation. Leak tests, no matter how theoretical their scenarios might be, serve as a good (but not perfect) indicator of a solution’s protective thoroughness. These systems may also fail to activate when it’s most needed – when a new attack strikes.
Rootkits and system interceptors that remain invisible to the operating system and the majority of security programs can be used to hide the presence of a malware payload. Rootkits are being increasingly adopted by hackers to mask malware operations such as spam, botnets and Denial of Service (DoS) attacks. - Security software sometimes interferes with normal operation of a PC, impacts its performance or displays alerts and action prompts that might be confusing for a normal person to respond to. It can also block WiFi connectivity or report false positives that may accidentally delete a legitimate file.
- Some security programs require that, once infected, manual remediation be used to undo the changes brought by malware – a task beyond the ability of most normal computer users.
- Your security program turns out to not be the trusted software you thought it was but instead is a rogue program that only advertises a promise to protect.
- Antispam and antiphishing solutions produce a high number of false positives, and phishing sites are so short-lived that, by the time a security company issues a security update to block the domain, the location has already harvested its share of stolen IDs and financial data and moved on.
Myth #2:
Why would I be hacked? I’m small fry, I’m not interesting to hackers
People do a lot of different things on the Internet, and sometimes they expose personal data. An average internet user is vulnerable to these kinds of threats:
- Theft of personal or financial data. We shop, we enter our credit card numbers and other personal details. This creates risk and the data could be abused if you’re using an unprotected PC. A keylogger could be silently monitoring your keystrokes and capturing everything that you type on your PC; later, it will communicate this information to the hacker who sent it out hunting. If you shop and the channel of communication (i.e. the web browser traffic) is not encrypted, everything that you send over the Internet is vulnerable to being copied and used without your knowledge. Your log-in passwords, email and social network accounts can also be hijacked in a similar way. Using both known and new techniques, a sophisticated hacker can eavesdrop on your Internet sessions using what’s called "man-in-the-middle" techniques to intercept and later exploit seized data. To protect yourself from such threats, it’s vital that you use a robust firewall and ensure traffic is transmitted over an encrypted route.
And that’s not all.
- Botnet infections, where the victim’s computer and Internet bandwidth are hijacked and used to harm other Internet users. Botnets are responsible for spewing out spam or phishing attacks that look like they come from the victim’s computer, and may also be used to conduct distributed Denial of Service attacks on legitimate organizations and take control of the organization’s website.
- Hackers are always on the lookout for a vulnerable PC on the network. Once found, these PCs are earmarked for later use for nefarious purposes. By using special tools to probe for exploitable machines, a hacker doesn’t target a specific host, but rather, thousands of poorly protected computers that can be amassed in a matter of minutes.
Myth #3:
My company uses a gateway firewall, so I have nothing to worry about
Gateway firewalls, if properly configured, provide solid perimeter protection for your company. Malicious inbound data will be blocked and hackers probably will not be able to break into your PC. But outbound data can still leave your computer, meaning passwords, financial data stored on hard drives, and other critical resources will still be accessible to attackers. Plus, being protected from outside doesn’t necessarily mean you’re safe from hackers inside your company’s borders. You could be inadvertently attacked by a colleague who’s become a victim of, say, an Internet worm that spreads by sending itself to all contacts listed in someone’s address book.
Myth #4:
I only visit "good" places on the web, I never visit objectionable or adult sites. So I am safe from threats that spread over the Internet
If you’re being truthful, I’d say you’re in a low-risk group. However, there are some things to keep in mind as you surf around legitimate websites:
- Sections of legitimate sites can be hijacked as easily as adult sites, and bad content placed on them temporarily until the problem is detected by the site’s operators. This happened to the Bank of India’s website not too long ago. Additionally, legitimate sites often incorporate Flash animations and JavaScript code that may be vulnerable and open up a backdoor to your computer. And last but not least, cross-site scripting (XSS) vulnerabilities may be employed by attackers to capture your logon session. You can read about XSS in greater detail here.
Myth #5:
If I connect to a credible WiFi provider like British Telecom at the airport, my Internet connection is protected
We’ve covered the secure use of WiFi extensively in other articles, but it seems the message still has not fully got through to people. If you use an unencrypted wireless signal, regardless of the network provider, even a novice intruder can easily read what you send or receive over the network, so don’t ever take the risk and post anything confidential over a public WiFi connection.
No comments:
Post a Comment