EUIST

EUIST

Just another ComMetrics – social media monitoring, best metrics, marketing metrics weblog

Debunking some common myths about safe personal computing

August 31st, 2006 · No Comments ·

Previously we have addressed:

Today we want to focus a bit on end-user myths.

There are some common myths that may influence your security practices regarding your PC. Having a better understanding of these issues will allow users to better protect their PCs, rights, privacy as well as information assets.

While believing these myths may not present a direct threat, they may cause you to be more lax about your security habits. Naturally, if one is being diligent about protecting one’s PC or smartphone, the chances for becoming a victim of an attack is lowered. The myths below are not listed in any particular order.

    _Myth #1_: Hackers exploit zero-day vulnerabilities to destroy data on infected PCs

Probably she can but, does she really want to? Most of today’s real attack threats to any business or home PC being online occur through semi-automated attack patterns using various types of malware (e.g., viruses, worms, Trojans and rootkits). The malicious user or attacker wants to to hijack the system to take control of it in order to send out spam or to attack other web sites.

Similar to a biological virus, a computer virus or worm will not kill its host (i.e. the infected computer) because if it were to do so, it could not propagate or spread itself and infect other machines.

    _Myth #2_: If you encrypt the information on your PC you should be fine

Encrypted directories and files do reduce your risk for having the information stored in them stolen. Nonetheless, the attacker can still take advantage of a software vulnerabilitiy and use your machine for certain purposes. For this reason, a regulator update of your software is an absolute necessity.

Today, social engineering might be used to infect a PC or vulnerable system. For instance, spam mailed to a worker at home gets him to visit a malicious website that, in turn, will install malware on the user’s machine.

Such attacks are launched against the average end-users via e-mail and through the browser (see for instance Somebody knows where you have been – ending your privacy one visit at the time).

    _Myth #3_: Every PC needs an intrusion detection system

If the security alarm in your home is triggered by an intruder, there is a reasonable chance that the police can arrive in time to catch the burglar. Unfortunately, an incident may happen with one’s PC connected to the internet, whilst the user is getting a cup of coffee. In turn, malicious code could be installed on a PC to send spam or infected files to others (e.g., those in the e-mail address book), _before_ one can take the necessary response to stop it.

The most effective security measures are proactive, not reactive. If an intrusion or misuse can be detected, then it can also be prevented. Hence, intrusions can be prevented by:

    > applying security patches,
    > using access control measures,
    > preventing actions to be executed (e.g., in certain directories) before they are okayed.

As long as the user can stop any action from being launched unless it is required and needed little can happen. For instance, even if the system was infected by a rootkit, the latter’s actions that it wants to perform will not be authorized. In turn, it cannot perform what it is supposed to (see also here: CyTRAP Labs’ Choice – intrusion detection scanner for free)

    _Myth #4_: Once your PC has been patched, the security hole should be fixed.

Software patches do not always fix security holes. Usually you have three possible outcomes:

1) it works perfectly and all is fine,

2) the vulnerability is being moved somwhere else, and finally,

3) a new vulnerability is being created by installing the patch as was, for instance, demonstrated this month when after installing the patch (CASEScontact.org advisory – MS Patch Tuesday – August 2006 – security bulletins for Microsoft Windows and Microsoft Office), a new vulnerability was introduced CASEScontact.org advisory – Microsoft Internet Explorer – URL parsing buffer overflow vulnerability

    _Myth #5_: Theoretical vulnerabilities do not pose a threat

Patches (see above) address published exploits. However, just because a vulnerability has not been made public does neither mean it does not exist nor would it suggest that there are not other holes that can be exploited.

For instance, some vulnerabilities may be theoretically known and the proof of concept code is currently being worked on and discussed on technical lists. Vendors may even decide to ignore such discussions until they become a really high profile matter through media attention or a possible disaster.

In contrast to corporate networks, a home user is surely not going to probe and find the possible hole. Nonetheless, being cautious does prevent one from becoming a victim.

    _Myth #6_: Using wireless is inherently insecure

The conventional wisdom holds that Wi-Fi is inherently less secure than wired networks because in its early days. And while the Wired Equivalency Privacy (WEP) protocol had more security holes than Swiss cheese. However, wireless security has come far. But a user must first enable these security features.

Enabling security features is simple indeed, because all the user has to do is to turn on WPA (Wi-Fi Protected Access) shared key security. Nevertheless, it takes the user choosing an option from a drop-down menu.

For more see: CASEScontact.org – Sensible precautions for securing your public hotspot experience – making your laptop ‘hotspotworthy’

_How were these myths established?_

There is no one cause for these myths. They may have been formed because of a lack of information, an assumption, knowledge of a specific case that was then generalized, or some other source. As with any myth, they are passed from one individual to another, usually because they seem legitimate enough to be true.
A final note: This is a work in progress. Send in suggestions via the discussion forum below, or email me directly.



|

→ No CommentsTags: infect · myths · _myth