Keith C. Perry on 30 Jan 2015 11:45:07 -0800


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Article on 'cyberwarfare'


That's not what social engineering means.  The term points to user behavior (or expected user behavior) not skill sets.  For instant at this point, across the average internet user, there are many more people who would not click on a pop up ad than 15 years ago.  If you asked them why, they would give you some reasoning that would point to them knowing it might lead to some sort of problem with their computer.  Because this is an increasing "norm" across society the effect of compromises by a user clicking on pop up ads has continues to be dramatically reduced.  The people trying to effect compromise in that method have to come up with a new trick and they'll have to keep having to do that every time social engineering changes the expect response.

Cyberwarfare is the same thing on different scales simultaneously.

When I say "accept that their security is their responsibility first" that means security needs to be more of a conscious behavior by users so that security processes spend the majority of their time dealing with the actual threat instead of trying to "fix" user behavior (i.e. Internet Explorer popping up a window... "are you sure you want to download that executable?").  

Simply put, the more conscious a user is about what they do on the internet, the more is will help us deal with threats.  My argument is that this happens naturally over time- there is no magic solution or construct that will get us there sooner.  This point is also mutually exclusive from implementing new security ideas.  Every little bit helps, if only for a time.


~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ 
Keith C. Perry, MS E.E. 
Owner, DAO Technologies LLC 
(O) +1.215.525.4165 x2033 
(M) +1.215.432.5167 
www.daotechnologies.com

----- Original Message -----
From: "Rich Freeman" <r-plug@thefreemanclan.net>
To: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org>
Sent: Friday, January 30, 2015 1:27:40 PM
Subject: Re: [PLUG] Article on 'cyberwarfare'

On Fri, Jan 30, 2015 at 11:08 AM, Keith C. Perry
<kperry@daotechnologies.com> wrote:
>
> Once people accept that their security is their responsibility first then the best possible security structures can be built out from that.

That is only true because nobody else takes IT security seriously.

Imagine if you took that attitude towards home intrusion.  Suppose it
were common for people to use the best available equipment to break
into homes with little action by the police or military to prevent
this.  By best-available, I mean just that - the equipment available
to a first world military (even a small first-world country).  There
isn't a home in the US that would withstand such an attack, and if
there weren't much risk of getting caught there would be no reason for
burglars not to use such equipment.  To defeat such at attack would
require each homeowner to basically have a private military standing
guard.

When somebody hacks into your home PC, they're going to use the same
kinds of zero-day exploits and rootkits that many first-world
governments would use.  Sure, the average attacker isn't quite at the
level of sophistication as the USA or Chinese, but they're probably
right up there with a country like Italy or France.  The hackers
likely face almost no risk of prosecution, so they can operate from
sophisticated criminal organizations.

Is it really realistic to expect EVERYBODY who uses a computer to be
prepared to defeat such an attack?  The reality is that almost nobody
is, and so criminals break into computers at their leisure.  Companies
aren't going to elevate their security until attacks become so
pervasive that it becomes a requirement of doing business and they can
therefore successfully pass their costs onto their customers.  Until
then they'll just purchase insurance and let everybody change all
their credit card numbers three times a year.

We expect national governments to control their physical borders.  In
fact, a country that fails to do this is generally not recognized as a
country - this is almost the definition of sovereignty.  Why wouldn't
people expect their governments to provide a similar level of security
online?

--
Rich
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug