Security Common Sense
During the last couple of years we have seen major developments in terms of securing the server as well as the desktop, though it has been mostly the desktop that has caught our interest due to its "vulnerable by default" nature. The desktop has become the primary target for attackers and it seams that this trend will continue to grow during the upcoming 2008. Some my argue that we have done well, as a community, and the desktop and the server a lot more secure then before, but only a few will admit that what we have achieved is not exactly what we've wanted. 2007 was the year in which we've destroyed the "Security Common Sense".
What is the "Security Common Sense"? The common sense in security is the thing that moves the wheels. Even when the Net is more hostile then ever, the common sense is what keeps you protected. But how one can preserve the common sense when all defensive technologies we've build work against it? Let have a look at Microsoft Vista and MacOS X Leopard operating systems, for a moment, although I must admit that my experience with Leopard is quite limited.
Secure by default, both Vistas and Macs are a step back, IMHO. "How come?" - you may ask? Aren't they more secure? Although technically speaking, they are more secure, this security superiority is not real. It is fake. The entire security model is based around the idea that the user knows what he is doing. It is easy to put the responsibility of the entire security model on the users but we all know that users don't know what they are doing. Why the user should be responsible for staying secure. Without no doubt, their lack of common sense, when it comes to security decisions, will fire back.
We basically train a bunch of monkeys to click the "yes" button for every security warning.
It is really a very common experiment often performed on labrats. These types of experiments are even performed on the client-side security models as well. Almost every single technology out there relies on the fact that the user will make the right decision when the time comes: "should I download or not, should I open that or not, should I install this update or not, should I click on run or not, should I approve the warning or not?" This is what destroys the common sense from inside. We want every user to be a security expert. How is that feasible?
These are not secure technologies. We need something that requires less decisions. In fact, less decisions = more secure. A secure technology is something that keeps the balance between the security and accessibility. People will get hacked, no matter how hard you try to prevent it from happening. People will die on the road no matter how good the road system is. But keeping the balance is what makes everything work. Unfortunately for us, we've taken on the wrong way and it might be too late before we realize what we have done wrong. Is your "Security Common Sense" still in tack?
Please take may rant lightly. It is really something that I believe we just need to pay more attention on.