In-Depth

In Brief

Blame unusable security, not users; Apple worm; high-speed IPS

• By Mathew Schwartz
• 11/03/2004

Blame Unusable Security, Not Users

A common refrain from information security experts: fewer worms would spawn, and attacks succeed, if users had more security smarts. As a result, the prescription is for more—perhaps much more—user training.

Many agree at least on the need for basic security education. For example, it doesn’t hurt to remind users to not share sensitive information, how to choose a harder-to-crack password, and about the virtue of not sharing out passwords.

Yet user reeducation as a way to solve most or all of today’s information security ills is misguided, says usability guru Jakob Nielsen, principal of usability firm the Nielsen Norman Group. In a recent online column, “User Education Is Not the Answer to Security Problems,” he says “user education should not be the main approach to countering security problems,” simply because it won’t work.

The focus on education too often places blame where it doesn’t belong, he says. Portraying the argument as one of humanists versus technologists, he throws the ball back into the latter’s court, saying, “Computer security is too complicated and the bad guys are too devious and inventive.” Sure, users learn to not open strange e-mail attachments. So attackers transition to making the e-mail appear as if it came from someone inside the company. Who can keep up? As a result, today “the Web feels like the seedy part of town,” he notes.

Instead of giving users more training, he recommends actually protecting them. Thus a prescription for improving information security: “The only real solution is to make security a built-in feature of all computing elements,” he says. That includes automatically encrypting and digitally signing and hash-verifying all information, turning on maximum security by default, and automatic updates. Yet security controls also need to be made easy for anyone to use, “to a level far beyond anything we’ve seen so far.”

Only through easy-to-use security, in conjunction with better bug eradication and more law-enforcement resources devoted to the problem, he says, will information security ultimately make the Internet safe.

Link to Nielsen's column:
http://www.useit.com/alertbox/20041025.html

- - -

Apple Worm Emerges

Antivirus vendor Sophos warns of a new worm that affects Macintosh computers running OS X.

Known both as Opener and Renepo, the worm uses the Bash shell to disable the Mac’s firewall and other security settings, install hacking and password-sniffing tools, change permissions for key directories to allow unmitigated access, create its own administrator-level account, and hide its tracks by deactivating logging.

“This is a shot across the bows rather than a pressing immediate danger to Mac environments,” says Graham Cluley, senior technology consultant at antivirus vendor Sophos. Still, “the Renepo worm reminds Mac users who may have felt smug that most viruses target the Microsoft Windows market that they should be careful not to turn a blind eye to security.”

Sophos says the worm hasn’t been seen in the wild. Computer Associates, on the other hand, notes the worm spreads through file-sharing networks. Still, vulnerability information provider Secunia characterizes the worm as a “very low risk,” its lowest rating for vulnerabilities.

- - -

Taking IPS to 8 Gigabits

In the bid to use networking equipment most efficiently, latest-generation network topologies are increasingly routing packets across different devices. Yet intrusion prevention systems (IPS) can have a hard time keeping up, both with throughput, and tracking related packets across different devices.

Enter the latest generation of IPS, such as Attack Mitigator IPS 5500 Protection Cluster from Top Layer Networks. The cluster is capable of 8 gigabits per second (Gbps) throughput since it’s built from two IPS capable of 4 Gbps of throughput. The devices sport dedicated Gigabit Ethernet ports to tie themselves together for load sharing and failover.

Top Layer says this cluster also handles asymmetric traffic—when packets that begin on one router may then come from another. Having an IPS product follow conversations across different routers, to determine which packets are friend or foe, is a technical challenge. Even so, “the smarter your networking guys are, the more likely they have this approach,” says Mike Paquette, Top Layer’s vice president of marketing and product management, hence the need to integrate with it.

In general, asymmetric networking “is really good for networking availability, and it’s really bad if you try to provide any network security on that,” he says. With this product, however, “you don’t have to make any changes in terms of your routing, you can just drop in our box, and we’re able to match the performance with the protection,” says Sanjay Raja, director of product marketing at Top Layer.

Who needs 8 Gbps in an IPS? Paquette says organizations that rely upon gigabit Ethernet backbones, such as large enterprises, service providers, and (increasingly) government agencies often have the need since monitoring just a single Gigabit (full duplex) Ethernet connection requires 2 Gigabits of throughput. With multiple Gigabit Ethernet connections for redundancy, and multiple IPS for failover, throughput needs start to add up.

Related Article:

Product Shootout: Intrusion Prevention
http://www.esj.com/news/article.aspx?EditorialsID=836