Security Strategy: How can beginners develop one?

"Well, I've not found too many people who have a well-thought-out security strategy in place - especially those just starting out in computing."

So spoke my friend M.T. in one of several recent conversations I taped. She often shares ideas she's developing for an upcoming class, in which she usually brings up one of her favorite topics, the "Psychology of Security." I had been thinking a lot lately about strategy, so wanted to review our own ideas to share with our group which helps beginners, and found these conversations useful, in view of the continuing onslaught of new computer malware. I've added some comments and references.

M.T. By strategy, I mean a plan in which the points of attack are identified and understood, so that successful tactics can be implemented. I used the example in the group last time about the home, but we can carry that over into computer security. Especially concerning the beginner, which is our interest. How can someone just starting out in computing develop a strategy for something he doesn't understand? In looking around the existing literature, almost everything depends on already having some basic knowledge. There isn't much for the rank beginner. What there is available, depends on self-teaching, but the computer is more complex for most people than can be absorbed by just following a list of instructions. Notice I said complex and not complicated. I think there is a difference. Complex includes the idea of "involved," "intricate." "Complicated" most often implies "difficult." Computing is not difficult.

Also, many of the articles, both in print and on-line, serve to do nothing more than generate fear about how dangerous the internet is. It's a wonder that more people aren't turned off initially from even purchasing a computer! We brought up with the group last time some of Schneier's ideas on this​

She is referring to Bruce Schneier's book "Beyond Fear" and I had mentioned a quote from a review of the book when it was released:

M.T. Also about this time we started perusing the security forums, but didn’t find much for the true beginner. So much revolves around discussions of tinker toys. The knowledge of what they protect against, much less how to tinker with them, eludes the beginner. Most of the regulars on the forums seem to be hobbyists. Hobbyists like to tinker - that's what hobbyists do. But the piling on of tinker toys is not of much use to the beginner, who needs direction in setting up a strategic plan, upon which he will then employ tactical tools to implement that strategy. Without an understanding of what you are attempting to secure, there is no basis for designing a strategy.

One has to admire the hobbyists' level of expertise. Hardly any technical question fails to find an answer from someone. It's especially fascinating watching people analyze hijack logs, suggesting to do this and then that, and most often the poster replies back with a big "thank you" that he has remedied the problem.

But suppose there were a true beginners' forum? In thinking it through, you know we’ve realized that at-distance help is not as effective as hands-on, which is what we have done, so one solution is to expand that type of help., where you can have instant feedback between teacher and student. You know that B___ is experimenting with using a webcam, so we'll see what happens with that.

What we have hoped to do is get the person before he goes shopping for a computer. The beginner has no idea what is inside that strange box called a computer, so doesn't know what to ask for. A good salesperson might ask the person what he intends to use the computer for, but as you know, our experience shows that people usually end up with more than they need. I’ve taken a few to our custom computing shop, as you have done for a long time. ​

Yes, I started doing this years ago. It serves to let the true beginner see what a computer really is, and have some input into what he buys. We make a list of what he wants to use the computer for. If not interested in gaming, why purchase a super video card? Once in the shop, we watch the technician assemble the computer. The customer gets to see what a hard drive, cpu, look like, and then realizes it’s not so mysterious after all. He may never work on his computer, but will know what is involved. Or, he may get interested and become really involved. The initial fear of the unknown is quelled from the start. Handling fear is the first step in employing an effective security strategy.

M.T. For the person going to a retail store - if the salesperson is on the ball, the customer will leave with at least one tinker toy for his computer, having been told that the internet is a nasty place indeed, and you have to be careful so that you don't get a virus.

Now, he is really worried. We've agreed that it's perhaps no coincidence that computer lingo has made use of medical terminology. ​

Yes - interesting analogies: a biological virus gets into the blood stream. New computer viruses hide in Alternate Data Streams.

One of the earliest uses of the word "virus" in connection with computers was in a 1972 science fiction novel by David Gerrold, who describes a fictional computer program called "virus." This was defended by a program called "vaccine." "Virus" became widely used in the early 1980s along with other medical terms, such as "injection," "inoculation." While useful as descriptive phrases, they have served to arouse fear, which often hinders constructive, logical thinking.

M.T. So the person leaving the store has his first introduction to security: a tinker toy - a tactical tool that he has absolutely no idea of how it really works much less how to tinker with it. Worse, he is employing tactics without having thought through a strategy, which he can’t do because he has no basis on which to think through such a strategy. He has no clue, as some are fond of saying, and thus was born the description, "clueless newbie." What a degrading reference to apply to a person. To those in the class who use that phrase, I say "what are you doing about it? What good does it do to sit back and smirk at those who are floundering out there, not knowing what to do?"

Whose is to blame for this sad state of affairs? The computer manufacturer? The retail store? Bill Gates?

One recent proposal was to license people as users, as is done with automobiles. While not really practical, it wouldn’t help that much. Just because someone passes the driving test doesn’t mean he knows much about the automobile. But what if he took a driving course - either group or individual instruction? I did and learned much more than if I had just studied the book and found someone to teach me to parallel park.

What if there were similar ways of instructing people about computers? Too daunting of a task?

While we have helped quite a number of beginners, and they are now doing the same, some might say that this type of grass-roots involvement wouldn’t seem to make much of a dent in the problem. But consider, that S_____ gives her time to an orphanage, and Mrs. D______ is setting up a class at the senior center. Your idea of "adopting" is another way to get the word out.​

She is referring to something I mention from time to time, that if everyone who regularly posts on the forums would "adopt" either a beginner, or someone who wants to learn better prevention, just think of how many people would be less "clueless."

Another mistake in starting people out with prescribing tactical solutions [anti_____ products] is that you can lose sight of what you are trying to achieve. Often, it’s evident that there is lack of a clear-cut strategy. Two examples from forums.

It’s not my intention to call attention to any one person, because we often see people coming to forums for help with long lists of products, not really understanding what they are trying to achieve.

Our approach to strategy for the beginner: keep it simple. We start from the bottom up and identify the points of attack.

M.T. In my class, I’ve used the example of securing a home, but the same applies to securing your computer: In a worst-case scenario - fire or theft - what is irreplaceable? What ever falls into that category needs to be backed up and kept off site. This includes copies of your personal data, installation disks, manuals, etc. These safeguards provide a great feeling of relief. We both like the idea of a removable hard drive that is put elsewhere when away for an extended period of time. D____ takes his with him in his valise every day.

With the computer itself, the "engine" is the Operating system. Many ways today of protecting it - from re-imaging a corrupted system, to rolling back to a previous good state. The latter is the easiest to set up for a beginner: it requires no tinkering . If perchance something should intrude, your operating system is protected.

Going up the ladder from the base, we consider how to prevent the inadvertent intrusion of malware. ​

What was not discussed in these conversations was our approach to presenting a working knowledge of the computer before talking about intrusions. With respect to security - understanding file types, file extensions, file associations, is paramount. It’s disconcerting to find people who can’t explain how the computer knows to start MSWord when you click on a word.doc file. Or what an executable file is, and how it differs from a text file. This basic understanding helps later when we configure the browser and email programs in handling different file types. To use a recent example: do you want your browser to open .pdf files, or pass them to a .pdf reader? The "beginner" understands this perfectly when we get to it.

M.T. Traditional computer viruses emerged in the 1980s, and the earliest solutions to prevention involved identifying their characteristics and monitoring for their recurrence. This is now known as the "black list" approach. Several years ago, some strategists were advocating a "white list" solution.​

One way to describe the difference is to imagine you are guarding a gate and you are to prevent the "bad people" from passing through. You have a list of "bad people" and the list is updated every morning. This is the "black list." But if a new "bad person" arrives before he is identified and put on the list, you would let him through, not knowing he was bad.

Using a "white list" approach, you have a list of the "good people" who are permitted to enter. Anyone who is not on that list, doesn’t get in.

Marcus J. Ranum uses the terms "enumerating badness" and "enumerating goodness"
to describe these. [1]

Two years ago this month, Dennis Szerszen of SecureWave wrote a paper on the subject. [2]

Last year, an unfortunate incident occurred resulting from a zero-day AIM virus. A friend’s daughter received a message from her friend. When she opened it, an alert popped up from her security program. She phoned her friend, knowing that she wouldn’t have sent something like that on purpose. Sure enough, the friend had gotten the virus which propagated itself via her buddy list - about 65 people. No AV caught it the first day.

At the top: firewall, browser, email.

What we set up for beginners is based on our years of experience with solutions that have proven reliable. We want things to be as simple as possible.

A basic software firewall protects inbound as a packet filter, and monitors outbound. This is also protection against that code which runs a script to connect outbound. A recent example of this is the ACER vulnerability.

We don’t pay too much attention to all of the browser-email hype. Any such program is safe if used in the proper manner. No browser is completely secure anyway, so you are protected below if something should intrude.

To quote Dennis Szerszen again:

Policies that insure secure email and browsing procedures can be effectively taught to beginners, continuing on from the explanations of file types.

This is our starting point for showing beginners how to implement a strategy for safe and happy computing. There are many effective approaches, but we want one that is the least complex for the beginner. What we have implemented has worked in every case, and none of our beginners has gotten a virus.

As he gains experience, he will venture into other waters requiring other tactical solutions, but he will have a strategy in place on which to implement these tactics.

I have avoided mentioning specific products, because due to the wonders of advancing technologies, there are numerous solutions.

I’ve also left out teaching safe web habits and safe installation of programs - topics for another time.

Adopt a user!


References:
[1] http://www.ranum.com/security/computer_security/editorials/dumb/

[2] http://www.techlinks.net/WhitePapers/An Ounce of Prevention - SecureWave.pdf

regards,

-rich


________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

Hi Richard,

One problem with beginners that I've experienced, is that they don't arrive in an equal state of being. I have adopted 3, no choice, they're family. They also could hardly be further apart in terms of the way their computers are used.

User 1: has a machine I once had to clean over 2,000 pieces of assorted malware off. This was after having to enter another user account belonging to a recently redundant boyfriend who'd used kazaa a lot ....... badly !

She doesn't really want the info, just the clean machine and miminum maintenance - even though she now interacts quite widely with her computer I think, including using ebay.

User 2: has a machine which I set up from day 1 and it's all I can do to encourage her to be a little more adventurous. She has very conservative habits in a secure set-up. It was quite a large investment for her and she is afraid of breaking it.

This user is older & has a mental block that is difficult to overcome, finds it hard to remember from one week to the next simple concepts - mostly because fear is getting in the way. No great security worries, just needs to get a little more out of her investment. She probably would respond well to a classroom environment, Plan (b) for this user is already in hand.

User 3: has an older 2nd hand machine with an unvalidated XP pro. I brought it up to date, fully patched etc. The problem here is that it is a multi-user machine with a teenager in the house and curious children. I had set up individual user accounts and password protected the adults administration account. Within 1 week I was talking him through removing the zlob virus - attained through the dodgy codec route by the teenager.

He is really short on computer resources and spare time, very willing to trust me and do the work when talked through. Would probably have a clean machine if left to him...not least because I don't think he really feels the need to use one.

The result is that although they are all encouraged to call me if they have a problem - User 2 rings me all the time to double check the very simplest things. Users 1 & 3 ring intensively for a week or 2 after whatever the latest rescue/repair was - then the phone goes quiet as they suspect they may have messed up ..... until something becomes too bad for even them to ignore, or I spontaneously offer to check the machine out.

They are very different from those beginners who independently elect to go to classes and to varying extents, those that seek out a forum like this. These folks are somewhat predisposed to committing time and taking responsibility.

As much as I sympathise with the challenges that face some beginners - you could superglue Joe90 glasses to some folks and they'd still resent the bit where they have to sit down for 5 minutes to learn something new.

Ultimately, to achieve universal coverage, I think we are going to have to rely on better system design ......... cos designing a foolproof human is gonna take too long.

Here, I had always assumed that we as people, had deliberately made that choice, as a way of humanising computers, making them less threatening and easier for us to relate to. Maybe partly in response to the humanising of computers through the realisation of concepts such as androids in sci-fi movies.

If a user is told that a binary logical sprocket was being undesirably interpopulated by a group of indigent data destruction port grometers - I'm not sure they'd feel any more empowered - it doesn't appear to work that way with cars ........... and that's before we even begin to apply abbreviations.

Anyway, thanks for the post - and as Rmus says, adopt a user, in fact if you can't find one ......... I have some to spare.

 

Hello eyes-open,

This is certainly true, and is the challenge of teaching, no matter what the subject matter.

I have to admit that those I've worked with fall into this category.

We've found this to be true in working with family members. Just human nature, I guess, not wanting to listen to a family member. Often, having an outsider teach (or having the person go to a class) is more effective. Not always convenient.

I agree with your comments about humanizing computers. It's just that the language we use to "humanize" them - medical terms in this case - often produces unintended results: certain words evoke unnecessary fears. Malware is less of a threatening-sounding word than virus. If "malware" is explained to be programs that do bad things, that ususally suffices as explanations for the beginner. As he advances, he may want to get into the technical details. We can explain that water in the gas tank isn't good for the automobile engine without having to go into the chemical formula.

No argument here...

meanwhile:

At least we are doing something

thanks,

-rich

 

Hello,
Rmus, that pretty much sums up what I've been trying and am saying the last couple of years.
Mrk