The best cyber security practices are…

…the ones which don’t expect any action or assume any expertise from the end user. Naturally.

I did try to make a case for ‘no substitution for user education’ several years ago. However, clearly, with explosive penetration of Internet being as ubiquitous and essential service as phone or even water & electricity the prospect of having a security-savvy user base – capable of understanding the difference between HTTP and HTTPS, or paypal.com and paypal.abc.com – keeps getting further away. Indeed, the answer to growing cyber fraud threat cannot rely solely on an assumption of average netizen’s abilities to detect and fight back the ever sophisticated attacks from the bad guys. Continuing the analogy with physical security it’s equivalent to saying “let’s assume all good guys have a gun and know how and when to use it to defend themselves”. This strategy might have worked in the Wild West (if it did), but has poor chances in the 21st century’s Cyber World  (sorry, NRA).

Not surprisingly, the industry slowly but surely moves towards, let’s call it, “built-in security”. The shift in mindset could be characterized by security considerations becoming more of a driver and less of an afterthought.

For example, it’s well known that many users chronically fail to patch their computers – operating systems and applications (browsers, PDF readers, Java VM, etc.). That leaves them wide open to ‘exploits in the wild’ – inevitably resulting in data being stolen, machines being infected and getting ‘enlisted’ to a botnet. In order to address this situation more companies are switching to ‘stealth update’ mode. For instance, unlike its competitors, Google’s Chrome chooses not to ask the user to initiate an update – it does it silently without users even knowing it. Windows 7 seems to adopt the same approach – by default the users are not asked to perform any action to have their operating system to be patched.

The same rule applies to other security measures. Facebook recently introduced a nice feature enabling switching its traffic to HTTPS. Alas, the option is off by default and the 600 mln users are expected to go to their account settings and turn it on manually (most probably Facebook was afraid of the cost of wholesale movement to HTTPS). Again, Google shines here. Not only it moved all its gmail service to HTTPS well before Facebook did, it also made it universal and by default – no user action was expected. I bet vast majority of gmail service users didn’t even notice the change. Another less known example is also recently introduced Strict Transport Security which allows web servers to prevent non-secure (or even suspicious) connections in order to prevent man-in-the-middle attacks. Again, “average” users need not to even know the mechanism exists.

These trends are bound to gain momentum. I imagine more and more companies will switch to HTTPS in the near future, and patching will not require user confirmation by default (perhaps leaving an “ask me first” before updating option – off by default – for tech-savvy – or perky – users). More services will move away from simple password-based authentication. Microsoft Essentials will become an integral part of the Windows OS (if anti-trust allows them to do so). Applications will become increasingly sandboxed. And so on…

This is not to say that one day you will be able to survive in the Cyber World without some basic knowledge and prudence – just like you need some common sense to live everyday life – from how to cross the street to avoiding dangerous neighborhoods. However, that knowledge should be kept to minimum, be intuitive, be transparent and belong to public domain and even school (kindergarten?) curriculum.  In the end the rules should be simple enough that – unless you are striving for the Darwin Award – by following them you are not risking your (cyber) well-being. The rest should be taken care of by the smart technology. Ideally.

Is there an alternative to user education?…

…in global fight against fraud? IMHO, there isn’t. Although I am not – by any stretch of imagination – the first one who arrived to this conclusion, nobody came out with a working idea on how realistically we can move the needle in this direction.

I recently had a chance to present a hastily-put-together “Cyber-security 101 – Defensive Browsing for Everyone” presentation* to a not-necessarily-technical audience. A friend of mine joked after the presentation – “most of them will never use Internet again” 🙂 While it wasn’t really my intention I can’t but acknowledge that the sheer number of steps to be taken, “rules of thumb” and details to pay attention to in order to remain safe online can be pretty daunting to an average surfer. Bridging that knowledge gap for the “masses” seems to be – so far – insurmountable challenge for the industry.

Now, as a humble “soldier” in this fight, I have worked out my own tricks to convey the message. For example, I consider cyber crime having a lot in common with the crime in physical world – a phenomena which average person is much more familiar with as it is much more tangible and intuitive. Consequently when evangelizing “defensive browsing” I use this analogy to explain concepts from the physical World “equivalent”. From my past experience – it generally proves to be quite effective.

For instance:

  • Browser – the door between your house (in this case perhaps an RV) and the street
  • Unpatched PC – the door poorly locked leaving you increasingly vulnerable to all potential thieves in the neighborhood (in case on Internet – the ‘neighborhood’ is the whole World including the criminals who are beyond American justice system)
  • Browsing suspicious sites – strolling in known bad neighborhoods at night
  • Plugging your USB drive to somebody’s else computer (or the other way around) – having an unprotected sex with a stranger
  • Clicking on a link in an email – opening the door as soon as somebody knocks it and without checking who’s on the other side
  • Anti virus – pest control in the house
  • Phishing site – an impostor pretending to be your cleaning person’s ‘cousin’ to get the keys to your house
  • Open Wi-fi (with no additional precautions) – a place where the bad guys can easily hook you with a tracking device, a bug or a video surveillance device

In a way, cyber security can be viewed as an extension of our physical security, so the analogies are really limitless. Making the connection between them is the first step in educating crime-aware and responsible “netizens”.

*[update] I’ve put the presentation here:

Applying “Google spellchecker” principle in detecting online fraud

One of the ways bad guys manage to penetrate/influence a web site’s functionality – is “poking around” by hitting different pages – often on different geolocations (e.g. instead of XYZ.com – country specific sites XYZ.de, XYZ.ca etc.) – coupled with “playing” with input parameters – thus looking for input validation breaches or other site inconsistencies. If successful, bad guys can do a lot of harm – including manipulation of data (e.g. changing a user’s state by following some quixotic page sequence), stealing information and so on.

Such breaches could be successfully detected in early stages by using a technique I call “google’s spellchecker” approach. Anybody who used google to check the spelling of a word – or the right collocation/phrase – knows the underlying principle. It’s (paraphrasing eBay’s motto) “people are basically educated”. That is – if we have 5 million hits for one spelling and 5 thousand for the “competitor” spelling – then the former is the correct one. (BTW, that is one of the basic principles of linguistics: if enough people say ‘nucelar’ – it automatically becomes a legitimate word).

The way the same principle would work in detecting bad behavior is similar:

  1. assign each page a unique ID (normal practice)
  2. define boundaries of individual user sessions
  3. record the sequence of pages hit during individual sessions – e.g. 23 (login),887 (account setting landing page), 368 (account setting confirmation), 99 (logout); in other words create a “page trail” of each session
  4. record and at the end of each session increment the number of times a particular trail appeared on the radar – e.g. 23,887,368,99 -> 1035 times;

Leave the system to bake for some time. Assuming that most people use the site for legitimate purposes, the numbers eventually will reflect the “normal” usage of the site. Maintaining that information would help in detecting abnormal usage of the site (e.g. jumping to 368 “account setting confirmation” without hitting 887 “account setting landing page”) very soon after the “probe” is done. It is important to detect this early, as – if the hole becomes widely abused, its sequence may approach the “normality” level. We also should have some safeguards/mechanism to avoid false positives – e.g. if a new page is added to the site, we want to know about it (e.g. have page age information) and treat it as an exception.

Naturally, the approach is not bullet proof (hardly any one is). Indeed, if fraudsters are sophisticated enough – they could mask their behavior by mimicking legitimate sequence, or trying to make session tracking more difficult. Nevertheless that would be a serious complication of their lives – or another “bump” on their way – so the goal of slowing them down would be fully achieved.