What’s the Fuss?

Have you ever been asked:

  • What’s all the fuss about computer security? I don’t have any sensitive data on my home computer, and at work, I don’t have access to any sensitive data.
  • Why would anyone attack my computer?

How do you respond? Here’s how I handle it.

First, I ask them if they ever receive spam. Then I ask where they think spam comes from. Usually, they have no idea.

So I explain that a large portion of spam is sent from compromised computers, both those on corporate networks, and especially home computers, which typically are poorly protected and maintained. I then ask them whether they’d be comfortable if their computer was used to send out pornographic spam. Now I have their attention, so I continue.

Second, I remind them that while they may not have access to sensitive applications or servers at work, they have more access than attackers do. Attackers, I tell them, after gaining access to a computer account, look for information on the hard drive and on the servers to which the account has access, and then use the information learned to compromise other accounts and systems.

Similarly, I continue, once attackers gain access to an application (using their account), much more company information is available. Furthermore, even with limited user access, a skilled attacker can sometimes trick an application into displaying more data than it should.

Third, keeping in mind this is getting a bit technical, I note how attackers need several compromised computers to attack others and cover their trail. To avoid being traced, attackers compromise and link several computers together electronically, usually from different companies in different countries with different computer crime laws.

If the attack is discovered, the computer connection must be traced back from Company D’s compromised computer to Company C’s computer, then Company B’s, and then Company A’s, and finally back to the attacker’s computer. The chances of all those companies cooperating in the investigation and having the appropriate logs required to trace the connection is slim. I ask my friend, “Do you want your computer to be part of that trail?”

Fourth, I mention zombies–everyone knows that zombies, whatever they are, are on the dark side. I simply describe how many compromised computers are electronically linked together, like a massive conference call, and used to “call” another computer over and over, causing a nasty busy signal (called a distributed denial of service attack) that prevents others from using the attacked computer.

Finally, I bring it all back home and make it personal.I ask whether they ever use their home computer to:

  • Store family photos, movies, or  MP3 collections?
  • Do taxes?
  • Do online banking?
  • Buy anything with a credit card?
  • Visit web sites of which their mother would not approve?
  • Send emails containing personal opinions regarding their sweetie, boss, family members, or global warming research?

If the answer is Yes to any of those questions, then I suggest to them that there IS sensitive and/or precious data on their computer, and they should be applying updates, using antivirus software, using strong passwords, doing backups, etc.

If you don’t want your computer to be a pawn in another person’s castle–and if you have any secrets–you need security.

Update

Here’s a great article describing many ways attackers can use a hacked PC. Includes a nice graphical summary too.

2 Comments

Filed under Security, Security Scope

2 responses to “What’s the Fuss?

  1. I’m afraid I go straight for the throat – and tell them they could lose the family photo album / their MP3 collection or the book they’re writing – this usually gets their attention pretty quick!

    But there are always ‘the others’ who refuse to believe there is anything they have on their computer of any value. These folk usually don’t perform any maintenance / patching / updating etc and never perform a backup: almost always it is these folk who fall the hardest, when I tell them I can’t quote for data recovery – as they’re laptop has been stolen and they have no backup.
    Whenever I get requests to design and install backup solutions – 95% of these come from people who have previously lost data.

    My eternal hope, is that the day will come when folk call me to install the backup solution, before their system goes belly up!

    Like

    • ITauditSecurity

      While my main focus of this post was security at work, your comments were laser-sharp in getting people to understand the risk of not securing home computers. In fact, I added your comments as the first bullet above.

      Over and over I have found that when people understand what security means to them personally, at home, then they tend to bring those attitudes and practices back to work.

      Everything they learn at one location strengthens their grasp of security in the other location, which results in a circle of education and practice that makes them a better worker and citizen. I’ve even seen these types start evangelizing others.

      I know it sounds corny and Utopian, but it occasionally happens.

      Thanks again for your input, Tim (who by the way offers more of his insights on the creative perspective of IT at http://timbrison.wordpress.com/ )

      Like

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s