« June 2009 | Main | August 2009 »
Recently there are an alarming number of blog posts starting with "So we were having this discussion on Twitter...". I'll dispense that and just say, I was talking with some friends about something concerning me lately. The issue at hand is the complexity that still exists in the consumer space of protecting the average user.
I have spent the last five years firmly entrenched in the enterprise market, so recently when a friend asked me to look at a PC for them I gladly agreed. They were running a security product supplied by their ISP. It obviously was having a problem keeping up with the task at hand because, when I scanned it with another product there were so many overlapping malware I couldn't keep count. One of the malware decided that it would be best if I wasn't doing any more looking and initiated a shutdown during my scan (nice!). I sent the PC back to them with the advice to start over. The real problem however began when I tried to explain what they need to do at a minimum to keep safe.
I started with the basics.
There was a time when you needed several products installed to scan for Viruses, Trojans, Rootkits, Spyware, Ad-ware, and on and on. Today Internet Security Suites have come a long way. Some of them are actually quite snappy and usable, some are not. I supplied my friends with a suite (I'll let you guess which one) and recommended that they set it for automatic updates.
Next is patching. For PC users it's pretty much a must to set Windows Update to automatic. The average user is not going to remember to check for patches each day, or week, or even month. When they re-install (which I hope is behind a firewall) they need to spend the hours required to patch everything and then set it to automatically patch.
What else can we automate? Ah, backups. Backups are the last bastion of security. When the shit really hits the fan it's nice to know you can get those family photos back from somewhere. Again, it has to be automatic or there is no chance.
So far so good, right? Not so fast. They are not really secure yet. And here is where things really break down.
The rest of the steps to staying secure take time and understanding.
Time that people don't have.
Understanding, that's hard to build.
What else must be done:
Patch, Patch, Patch: There is a misconception with users that Windows Update = System all up to date. Unfortunately most of the vulnerabilities being exploited these days are in your applications. You have to regularly patch browsers, media players, productivity applications, plug-ins and so on. Each has a different patching strategy (or none at all). So users have to run something like Secunia Online Software Inspector AT LEAST weekly.
Run in a low privilege account: Hard to convince the average user of the reasons they need to run with less control on a PC they own, but it helps lower the attack surface.
Security Awareness: Michael Santarcangelo is quick to point out that you can't "Inflict Security" and expect the results you want. People have to understand and care about their actions. He says the key is that you have to, "Make it easier for people to do their jobs and protect information". For the average consumer this is a challenge. How do you teach them about the dangers of unsecured Wi-Fi, weak passwords, leaking personal information on social networks, bad security questions to choose, and how to trust nothing online!
Pray: Even if you solve all of these problems, there is still a monster lurking in the shadows; remotely exploitable unpatched vulnerabilities. Some of this comes down to having, and properly using a firewall, but those concepts are so complicated and foreign to someone at home plugging in a PC to a DSL modem, or checking email at Starbucks. How are they suppose to know how to check and configure a firewall suitable for the context they find themselves in (Vista did make some advancements here).
In my mind I think of Consumer Security from my grandmother's perspective. How is she suppose to dedicate the headspace and time required to say secure online?
We have come a long way, but there is still much more to do.
Thanks @DeathwishDuck @andrewsmhay @dookie2000ca @jack_daniel @marknca @DidierStevens @jasonmoliver and @n0b0d4 for the discussion.
A lot of attention has been paid to Deep Packet Inspection lately. DPI has developed a bad reputation for its role in
censorship, data mining and eavesdropping. It is seen by many as a
threat to Net neutrality and online privacy.
The depiction of DPI as a detrimental technology was highlighted during the recent unrest in Iran when the Wall Street Journal claimed that DPI was used to spy on citizens and
block traffic deemed undesirable by the state. Several media outlets jumped on the bandwagon calling DPI "a technology ripe for abuse".
Because of the negative media coverage around Deep Packet Inspection several parties have tried to affirm that, like most technologies, DPI is neutral. As a tool it can be leveraged for good or evil.
The Canadian government, wanting to allay concerns over privacy, went as far as to launch an entire website dedicated to DPI. They invited industry experts to share their opinions on what role the technology should play.
Even when DPI is used for positive purposes like information security, there is debate. Recently I have heard several industry experts caution that for security controls like intrusion detection/prevention, web application firewalls and data leakage prevention, the necessary protocol parsing is a duplication of effort that may be evadable, or worse yet present additional vulnerabilities. Vendors work extremely hard to mitigate these concerns.
Despite the negative image being cast on DPI it's important to remember that as a technology it plays a vital role in information security, since no alternative options exist that are as capable.
There are five main reasons security controls rely on DPI:
Prevention - The majority of today's data enters and exits systems through the network. While there are plenty of ways to detect malicious code or behavior once a system has been compromised (and in some cases remediate), network filtration provides an interception point suitable for true prevention.
Ubiquity - Some applications like browsers and email programs expose APIs that can be used for inspection and prevention of the fully normalized data. Unfortunately such programs are few and far between, and only cover data entering the system. The only way to 'see' most of the data entering or leaving the system is through the network layer (DLP is also concerned with information leaving systems on other forms of media).
Altitude - If applications universally provide inspection points there are still risks below that layer of the stack. For instance, vulnerabilities in the TCP/IP stack could be be used to compromise the operating system. Higher up for example, in the pre-render hooks browsers provide, significant amounts of code has already parsed the data in the document. The higher you are on the software stack the more abstraction exists and the more chance the layers under you may be compromised.
Choice - DPI can be deployed host-based, on physical appliances, or using new options like cloud-based security as a service, third party vSwitches or Hypervisor introspection APIs. Because all of the traffic is based on standards (defacto or otherwise) consumers can mix and match vendors and control types without difficulty.
Layers - DPI can be applied cleanly as a serial chain of filters. Traditionally a network starts with a Firewall, behind which any number of components are deployed (IDS/IPS, Web Proxy, Network Anti-Virus, Anti-Spam). These layers form a funnel of traffic without having to be aware of each other.
As a technology DPI should not be condemned for how it may be used; DPI itself is not inherently good or evil. Until there are alternative means of policing information exchange with these positive attributes, DPI will continue to be a necessary and useful technology.
