When does convenience trump security?

I've been speaking with someone about how we set up friend's computers(and how we operate our own). I'm of the mind that if you restrict things too much, all you do is prompt someone to discard all of the measures and use what's convenient regardless of increased risks.

When I set up someone's system, I make a limited user account, but I do two things. I change file permissions for the entire User class to allow write and modify access for all non-system partitions. And I add SuRun so logging on as admin isn't needed as much.

I think these two things are pretty reasonable.
Coupled with sandboxed browsers and Returnil I'd call this pretty secure, while not being overly restrictive for ordinary use.
I also shut off Returnil's virus guard and grant the sandboxed browsers full directory write access to the non-system partition.

If I wanted absolute security I wouldn't be running Windows. I'd be running OpenVMS. I wouldn't use Flash. Etc
I think granting write access and using SuRun make the LUA a LOT more usable with very little security loss.
I consider a standard XP LUA to be almost unusable. I know I would still be using an admin account for everything if Users couldn't create and modify files. That's just too big a deal for me.

So where do you draw the line between security and usability?

 

I draw the line when a PC is no longer user friendly.

A PC was meant to be USED,not a security fortress like some think.

 

I draw a pretty high line on security, because it's still usable for me.

 

I place a pretty high value on usability and performance. If anything gets in the way of that, I remove it. My security setup is very minimal here on Win 7 x64.

 

Yes, I agree. I think a minimalist approach can work fine. Common sense when you are browsing/surfing can preclude the need for overcomplicated security.

 

Absolutely, especially the common sense part, which it seems many overlook as an important and useful component of any pc security setup. Personally, I place quite a lot of emphasis on security, leveraging as much as possible what's already built-in to the O/S, which helps to leave at least what is for me adequate convenience. I don't like constant security maintenance when using the computer.

 

Common sense when browsing? Can someone explain me about it? How can I achieve such?

Would you folks define visiting known websites as being what you call of common sense?

Just like visiting a BBC owned website? Say, like this example here?

If I were only to protect myself based on the common sense and nothing else, I'd be served a very nice exploit, resulting in a drive-by download. No need for user interaction.

It's just like using the common sense when driving a car - Don't turn left, because you have to turn right; it will keep you safe. (I guess some forget to mention they will only be safe until they stop being. )

 

m00nbl00d took the words from my mouth! That is why security is needed even legit sites may become compromised and deliver drive bys. it has happened before and bound to happen again.

I focus on Security. Although even with all my security (look at my setup on https://www.wilderssecurity.com/showthread.php?t=111264) I barely take a performance dent. The only CPU heavy programs are Commodo and Avast! but neither of which slow my computer down. I am also fine with having to move Executable to an allowed folder. It may be a hassle for some people but I like it I even have UAC request a password (SUA setup)

 

Common sense isn't the protection on the web that it used to be. When legitimate sites get hacked, including big financial institutions, there is no longer such a thing as a trustworthy site. The DNS system has been attacked. Hardware is being targeted. A minimalist defense won't protect you against these. This leads to the next question. Define minimalist criteria. That will mean a lot of things to different people.

IMO, relying on what most call common sense is nothing more than rolling the dice and betting that it won't happen to you. Myself, I don't gamble. I only bet on sure things. In PCs, that's default-deny, isolating the attack surface, and restricting permissions to only what's necessary for an application to function. IMO, common sense says that the entire internet is vulnerable and any part of it (sites or system) can be compromised at any time. None of it can be completely trusted, and your security setup/policy should reflect that.

 

More over hyped nonsense than one can shake a stick at. Part of common sense is as simple as keeping all applications up to date and running in a limited account, and that will prevent or at least mitigate a lot of the exploits from taking hold in the first place.

 

Patching is great, but it's also play and catch. Today a vulnerability is patched, but others are unknown; but, maybe not to attackers. So, it's needed to mitigate/contain what exploitation of such vulnerabilities can do.

Running a limited account can contain a lot of what can happen; but, why is it that people still rely on exploits only targeting/requiring administrative privileges (actually the malware)? Not to mention privilege escalation.

Carberp doesn't require administrative privileges; it will execute to memory. Not even SRP/AppLocker would be of any good.

So, what else could you deploy to prevent/mitigate an exploit which could result in the mentioned above? MrBrian has proved that EMET won't be foolproof. Nothing is really. EMET is about mitigation; that is, mitigate to the maximum possible what the exploit does. But, what about actually prevent the exploit from initiating?

Maybe for some certain security measures aren't necessary or aren't seen as such by them, but to others it is. In the end, it depends on what use you give to your system and what you consider acceptable to happen. Anyway, that's how I see it.

 

Maybe, but what I mean is that I have an AV (& SUPERAntiSpyware) & some browser-end security extensions (adblocker, NoScript etc). Most of the sites I visit aren't Russian porn sites & I don't download just anything that takes my fancy. When I download installers (inter alia) I will scan them. That's what I mean by common sense.

I agree with much of what you are saying, I'd hardly say that I was just rolling the dice though. Apart from using some form of sandbox/virtual box I am not sure what else I can really install. I think my set-up is minimal but effective.

I think that a bit of common sense, the UAC on Windows Vista/Seven, a decent AV , some good browser-end security extensions & maybe a good on-demand scanner like SAS or MBAM (&/or something like SpywareBlaster) should be sufficient.

Although to be honest even that sounds a bit complex. Common sense, a good AV & some browser security extensions should be good enough for anybody.

 

Exactly!

 

Actually, what you said was:

OK, now I see you don't fully trust the Common sense when you are browsing/surfing. I guess you just didn't think of mentioning the rest.

 

Browsing the net is not as difficult as some make it out to be.
One of my co-workers has nothing on her PC except Returnil System Safe 2011,plus Windows firewall and all updates.thats it period~!

Til this day, she's got no malware,virus or any other issues!

 

Yeah, I believe in a common sense approach ... but I'm not stupid LOL!

 

Yep, without a doubt. I have been living on the internet now for over 15 years, with minimal security, meaning nothing much more than an AV, going literally everywhere, good and bad, and have not once in all that time been compromised. I don't think I need to say much more than that....

 

I've never felt that a secure system had to be inconvenient.

In developing a security strategy, it's not necessary that the resulting policies/procedures and security products installed should have to interfere with usability.

----
rich

 

Are you sure? Isn't it just another trojan that needs to install/execute before doing any dirty work?

Trojan.Carberp
Risk Level 1: Very Low
http://www.symantec.com/security_response/writeup.jsp?docid=2010-101313-5632-99

As such, wouldn't this be easy to prevent with SRP/AppLocker?

----
rich

 

That is a trick question around these forum

Some folks enjoy the trip through pop-up land. They enjoy knowing they have control over most any aspect. So for them, I would say they don't care about anything but security, at least right now.

For myself, I no longer care about security that means inconvenience. BUT, that doesn't mean I don't care about security or that I have less security. It only means that I had to adapt how I approached it to try and achieve a balance between the two. As it stands now, if I stick to my scheme, little can happen. If I deviate from the scheme (and it does/will happen), I just need to make sure I have followed the rest of the scheme as well as possible, and all losses SHOULD be at a minimum. I am talking worst case scenario here, not simply removing some pesky virus. I am talking about online transaction protection, data protection, etc.

Sul.

 

An up to date system with a browser where scripting can be either restricted or a white list of sites used is about as inconvenient as I will go. The av and firewall/behavior monitor work ok but if they become buggy they are removed quickly. I think a lot of people read the antivirus detection reports and believe it's doomsday. But really a lot of those tests are done on outdated systems, outdated browsers and few if any patches. How about an antivirus test on an up to date system, even being run as admin, where the OS is Windows 7? Combine that with a browser that has a no-script like component and the chance of getting infected is very, very small. So downloads and what goes into a computer via a cd or email would be needed to be scanned. But that's fairly easy. And for me, not something I do much.

Also, if a person is going to do some purchase online- have two checking accounts. They are usually free anyway. Have one where a small balance is kept, just to cover online purchases. If your credentials get hacked you are only out a few bucks.

 

Absolutely! I have a separate account, which I have no checks for, only a debit/credit card. I transfer/deposit only the amount +/- 10$ the day before I purchase. I have been doing this a couple years now, and it works very well for online transactions.

Sul.

 

I don't see why convenience trumps security. It could if you go overboard.

In general, it is possible to enjoy yourselves immensely, without doing any special or drastic. Security is fairly overrated. You can get infected, if you want, but if you don't, you let the hype and the scaremongering pass you by, while you enjoy the Internets.

And someone commented on Russian porn sites - why single out? What's wrong with those sites, if we put aside personal taste, preference and perceived morality? No different from any other site. And makes no difference to the overall security strategy.

Cheers,
Mrk

 

Sorry, just my odd British sense of humour (I once contracted a trojan in a Russian journal site).

 

RWhen does convenience trump security?