Thursday, February 08, 2007

Clueless or Defenseless?

In the wake of initial media coverage about this week's attacks on DNS root servers, a Sophos press release quoted Graham Cluley, senior technology consultant at Sophos, as commending "the resilience of the root servers" but pointing to "the lax attitude of some users towards IT security" as "the root of the problem." Cluley reportedly found it "ironic that the people who depend on the web may have been the ones whose computers were secretly trying to bring it down."
Cluley's comments, unfortunately, both understate and misstate the problem. If Vint Cerf's recent estimate -- that as many as 150 million of the 600 million computers on the Internet may be infected and pressed into service in botnets -- is correct, the problem is not "some users," but vast numbers of individual and corporate users. At the same time, it is important to keep in mind that "those who depend on the web" also depend on those who provide critical security software and services.
This week, Trend Micro issued an advisory about a serious security flaw in its antivirus scan engine that could be used to trigger a buffer overflow and allow an attacker to take control of the system. One could say it's ironic that a leading security vendor provided security-minded users with products that contained their own signficant vulnerability.
Certainly, the sort of vulnerability that Trend Micro announced is far from unique -- and that's precisely the point. End-users, from naive newbies to sophisticated programmers, should bear only a portion of the total responsibility for improving IT security worldwide. While we move, haltingly, toward a better allocation of responsibility among all participants in the online world (including infrastructure and content providers and IT security vendors) for maintaining IT security, placing the blame on just "some users" simply misdirects the discussion into unproductive debate.

0 Comments:

Post a Comment

<< Home