Does the computer security industry give good or realistic advice?

As a guy who works in the computer security industry, I am well aware of all the advice that we give.  Use different passwords at multiple sites that you login to.  Always install the latest software updates.  Run antivirus programs.  And for heaven’s sake, don’t click on any links in spam!  We sometimes get frustrated at the inexperience level of our general user base.  I actually back off on this because to most people who aren’t geeks, a computer is just a tool you use to check email, browse the web and talk to friends.  You aren’t really using it to do a lot of in-depth stuff.  Most people have better things to do like watch football on TV, go out with friends take walks in the park.  It’s no surprise they don’t understand the finer points of security anymore than I personally understand the finer points of the medical profession, or health care industry, or chemicals industry.  When I go to the store and buy a cleaning product, I’m vaguely aware that it’s kind of dangerous and shouldn’t be inhaled.  I don’t read all of the labels to see the chemicals involved in the product and then do a synopsis of whether or not I am allergic to each one.  Similarly, I’m vaguely aware that in order to maintain my weight I need to consume only as many calories as I burn.  I don’t really know much about omega fats, unsaturated fats, good and bad cholesterol, what my iron levels are, what amount of sodium and potassium I need every day, and so forth.  I just know to not eat sugary foods, eat enough fruits and vegetables, and exercise.  In other words, my knowledge is very limited compared to what a nutritionist would know.

To that end, my girlfriend and I were out the other night and I decided to test out what she knows about computer security.  I figured I was going to use her as a bellwether for the advice and education that we as an industry give out.  My girlfriend is not particularly techie; she uses a web browser to check her email and regularly checks travel sites, searching for deals for her next trip out-of-town.  She also browses one or two discussion forums.  That’s mostly, though not completely, what she uses a computer for – keeping in touch with a small set of interests.  She is not the type of person that has embraced the digital lifestyle (something that the computer industry keeps telling us will happen but is always 5 years out).  In my view, my girlfriend is far more representative of the average computer user than I am.  Thus, anything that she did or didn’t know is likely to be more or less in sync with the rest of the Internet population.  This, of course, is not a completely representative test because I am sampling one person whereas a true test requires a random sampling of 500 to 1000 users.  Still, I figured this was a good way to see how good our advice is.

I asked her a few questions.:

  • Do you know what a ‘bot’ is?  She answered no. 

  • What about a 'botnet’?  Again, no. 

  • Do you know what a ‘virus’ is?  She answered yes.  What is it?  It’s a program that makes your computer do all sorts of weird things.

  • Do you know what the term ‘malware’ means?  She answered no.  I explained that malware was a term that combined two others – malicious software.  But note what is happening here and how user education is lagging industry reality.  My girlfriend understood what a virus was – it made your computer do weird things.  This means that to the average user, you can tell if your computer is infected with a virus because it starts acting abnormally; the signs are obvious.  This used to be true in the early days of computer viruses when people would write them and get your computer shut down with weird messages or do odd things like play a sound when you typed a keystroke.

    Today, “viruses” are designed to hide from the end user.  Everything should appear normal and operations are transparent to the user on the machine which is infected.  Is it possible that we as an industry are doing a bad job at communicating the message that viruses are no longer obvious, they are hidden?  15-20 years ago, most users probably wouldn’t even know what a virus was and now they do, so progress has definitely been made on that front.  However, over the past 5 years the problem has evolved and education is still lagging.  For sure, in conferences where I go to, and in interviews of professionals, they mention that today’s threats are subtle, not obvious.  So, we get it.  But the general population does not.  We are not doing a good job at updating the message that viruses is the term we used to use, and malware is the new term and the symptoms are less obvious to people.  People will eventually start to learn this information but the lag time is dangerously long.

    If the general population doesn’t understand the new threat landscape, whose fault is that?  If I don’t understand the finer peculiarities and nuances to my health, that’s because I have a lot of stuff to do on a daily basis and in order to catch my attention, you have to drill the message into me.  If people do not understand what malware today is and what it does, then we need to look at how we are packaging the message.

  • Do you regularly apply security updates?  She answered yes, when the notifications pop up in the corner.  She is referring to Windows/Microsoft Updates and the Adobe update pop ups.  In that regards, the industry has made great progress in simplifying or automating the update process.  Unfortunately, not every piece of software out there does this automatically.  I then asked her if she does it right away, or sometimes waits a while.  She replied that sometimes she waits a while.  I smirked.  She then explained that she is doing stuff on the computer and doesn’t want to be interrupted.  What she means is that updates can sometimes take up a lot of processing time, but they also force you to restart the computer many times.  And nobody wants to restart their computer and start all over what they were just doing.  Rebooting can take several minutes and upon booting up can take just as long, it’s a bit of a pain, really.  We, as a society, want things done quickly and we don’t want to be interrupted.  I’m not sure how to get around this obstacle.

  • Do you use different passwords at different sites?  She kind of thought things through, and then answered “kind of” (I am paraphrasing).  She says that she doesn’t want to write them down, so she needs something that is easy to remember.  Because of this, she pretty much defaults to using a couple of different passwords at multiple sites.  Luckily, she uses a different one for the financial websites she uses.  But, she also said that the sites she logs into irregularly are prone to her forgetting the password.  So, that’s why she reuses the passwords, because there are so many she could possibly use but would never remember them and forever be resetting them.

    In my view, the advice “Use different passwords with upper and lower case letters, non-numerics… and different ones for each site” is some of the worst advice that the security industry gives precisely for this reason that my girlfriend gave.  I have the same problem.  There’s no way we can possibly remember so many different passwords with random characters (in order to increase their strength).  People forget them and so we use heuristics – mental shortcuts – to better facilitate cognitive processing.  One of those heuristics is password reuse.  Since we are insulated from attack most of the time, to most people the threat seems mostly benign.

    The trick that some people use is to have a standard password and then some sort of identifier with the web site you are logging into.  Perhaps you use a phone number, a dash and then the name of the site as the password you use.  This guarantees uniqueness of password.  Unfortunately, one of the problems I have encountered is that different sites enforce different password policies.  I have done this trick, but some web sites force me to not use my special character (in this case, a dash [which is not something I actually use]).  I can only use upper and lower case letters and numbers.  Some force me to use at least one capital letter.  Some have restrictions on the length of the password, meaning that my algorithm for figuring out the password has been broken.  The net result is that some web sites have idiosyncrasies that I can never remember… and forces me to end up resetting the password every time.  I find this particularly frustrating.  Why can’t there be a general set of password guidelines that web sites can follow such that they allow users to be consistent among them?  Without it, users revert back to insecure things like using the same username and password combination at every site.  We then complain that they shouldn’t do this… but then again, we forced them into it.

I think I asked a couple of more questions but that’s all I can remember.  As an industry, we are okay at getting our message out, but I think we also trip over a few things that need improvement.