C. Warren Axelrod

Is the End-User to Blame for the Lack of Security?

I recently read James Bamford’s book The Shadow Factory: The Ultra-Secret NSA from 9/11 to the Eavesdropping on America, which, as the subtitle suggests, is a history and an exposé of the NSA (National Security Agency). It is certainly a book that should be read by privacy advocates and those interested in the interplay among the various intelligence and law enforcement agencies, both in the U.S. and elsewhere. A particular quote that caught my eye was that on page 183 by David W. Aucsmith, security architect and CTO for Microsoft Corp.’s Security and Business Technology Unit, and a recent member the NSA’s Advisory Board. He is quoted as saying: “The actual user of the PC—someone who can do anything they want—is the enemy.” Nice, but I happen to disagree.

I believe that PC users have been wrongly put in an untenable position with respect to end-user security, namely, they are given all the responsibility (and blame) and little authority and few tools to resolve issues.

There you are. You just attempted to shut down your PC when a notice appears admonishing you not to turn off your computer as 5 updates are being applied and we’re only at update number 3. You wait anywhere from 2 minutes to 30 minutes as your machine whirs away in a magical mysterious way as, presumably, you are being given new features and further protection against the latest malware. But are you? Could this be rogue software injecting all forms of malware into your formerly pristine machine? Well, yes, you can do your research and determine the validity of the updates, decide whether you want them installed, check the web for indications of what the updates, if real, are actually doing. But who has the time and inclination to do that? Most of us just succumb and pray that the updates are real and that they will not damage or otherwise hamper the operation of our machines, albeit unintentionally.

One Comment

  1. Dan Schrader Feb 7, 2011 at 4:24 pm | Permalink

    You’re absolutely right. Any security system that relies on users to make good security decisions is bound to fail. My company, Symantec, works with our customers’ CISOs, internal IT staff and channel partners to help them do a better job communicating the need to embed security within everyone in the company. Too often, employees don’t hear from the CISO or the IT department until after the organization has been hit by an attack or suffered a breach.

    From a technology perspective, enabling organizations to make and enforce security policies based on real data is critical to helping employees avoid making innocent – yet costly – mistakes. For example, establishing a policy that prevents users in finance with sensitive data from installing software unless it has a good security rating and is known to be used by at least 10,000 people for at least 3 months. Providing application control, malware detection and network access control based on the experience of hundreds of millions of systems is more effective than relying on blacklisting and whitelisting technologies alone.

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*