Turkish Delight

So, back in harness. I’ve been away for a couple of weeks: not on holiday as such, though I did take some days out, but concentrating on writing: it didn’t hurt that I didn’t have a full-strength internet connection to distract me, though.

Before I left, I was interviewed by a Turkish security site. It was an interesting experience in that when I get interviewed by the press it’s usually about something fairly specific, whereas this was more of an “opinion piece”. Anyway, I assumed that most of you probably wouldn’t want to go and read it in Turkish, but some of you might find it interesting in English. Well, maybe not.

There were only half a dozen questions, but my answers were uncharacteristically verbose, so I’ll split them across a couple of blogs.

Question (1): Are we afraid of surfing on the Internet?

I don’t know, but we probably should be. I wouldn’t really want to see everyone so terrified of the hackers and bogeymen that they won’t make use of all the possibilities for business and social networking that the Internet offers, but we should at least have a healthy respect for the risks that Internet browsing entails.

I wouldn’t want to turn everyone with an internet connection into a security geek, either, but we (all of us who pride ourselves on being proficient computer users, not just the security industry) haven’t done a good job of conveying to the wider community a sense of what they should and shouldn’t do in order to stay (reasonably) safe. In fact, that’s an important point: if you know that there’s no such thing as safe browsing, you have a choice.

• You can throw your hands up in the air and say “I’m never going to use the web because it’s too dangerous”
• Or you can stop thinking about risk elimination and start thinking about risk management. Not in terms of a big corporate exercise in PRINCE project management, conforming with ISO standards, and lengthy risk analysis procedures, but just common sense.
  • “Is it sensible to do my online banking at a hotspot in a city park?”
  • “Should I let someone else use my PC when I’m logged on as an administrator?”
  • “Why is my bank sending me email about a problem with my account addressed to ‘Dear valued customer’ instead of using my name?”

Question (2):  What are your opinions about IT Security?

As Gandhi is supposed to have said about Western civilization, I think it would be a good idea.

Well, of course, we have all the security we can handle, but it’s compromised by a fog of misinformation and mythology, half-understood concepts promoted by the media, politicians and so on: it’s no wonder so many people just look at all the conflicting advice and say “I can’t be bothered with all this. I’m just going to click on this icon…”

There’s a famous tripartite data security model: Confidentiality, Integrity, Availability. Of course, all three are vital, certainly to a business or to an individual who uses online services to run his finances. But if you lose Availability, your system has failed, irrespective of whether it’s the Wily Hacker, your ISP, or your director of IT who’s stopped you accessing your own data.

Question (3): What advice can you offer about gaining experience in Personal Security?

“How do I get to Carnegie Hall?” “Practice…”

At any rate, practice is one way of getting experience in personal security. For many people in my generation and earlier (I had my first email accounts before there was such a thing as the world wide web), it was almost the only option: you learned by experience, and if you were very lucky, you learned quickly enough not to jeopardize your own online health or that of your family, friends and workmates. Of course, there were (mostly academic) training opportunities around. As the web started to come together and the Internet ceased to be an academics’ playground as people noticed and seized commercial opportunities, we began to see a lot more commercial training, of highly variable quality.

Actually, as a specialist in anti-malware, my perspective is probably particularly jaundiced. There’s never been much training from within the anti-malware industry (and what there is is nearly all vendor-centric). Unfortunately, there’s not much security training from outside the industry from people who are really knowledgeable about malware management. Some SANS training looks up to the mark though, even though the SANS publicity machine can be pretty AV.

So at what level of experience are you thinking of here in terms of your audience?

1. Experienced enough to surf reasonably safely in their spare time?
2. Enough to carry out their daily IT-oriented work safely?
3. Enough to be a security professional?

For categories one and two, there are sites that carry reasonably good information for the non-technical reader. The Anti-Phishing Working Group has good resources at http://education.apwg.org/  with information on phishing, moneylaundering and so on.

ESET is heavily involved with a community project called Securing Our eCity that provides some impartial resources, and we have some white papers, conference papers and so on on our own web site at http://www.eset.com/download/whitepapers.php, most of which are also non-partisan. Many other vendors have similar resources and most of them now cast their nets far wider than antivirus. SANS (www.sans.org) has an enormous range of resources as well as a range of security-related courses, certifications and so on that is a good starting point for some more professional career paths.

However, the term security professional covers an awful lot of ground. It took me about 12 pages of the AVIEN Guide to cover just the main training opportunities for someone with an anti-malware/IDS systems leaning, so I’m not going to be able to do the topic justice in an email.

Actually, I can’t do justice to any of these areas here. I have done massive lists of useful URLs in the past, but the last one I made public was in 2007: I probably need to update and republish it.

David Harley
Director of Malware Intelligence