The best laid plans of security professionals can be thrown into chaos by the acts of individual users.
Can you rely on users to have any significant impact on security, or are they the weakest part of the chain?
Operating system (OS) vendors have tried to simplify security for users with wizards, but has this made the problem worse? The more often the OS questions the user about security, the more likely the user is to simply click ‘yes' without thought.
Take my neighbour. The usual request ‘can you fix my computer?' was made. It transpired that she had installed an application that required outbound access through the local firewall. After clicking ‘yes' a few times in the firewall config wizard, she got worried and started clicking ‘no' a lot. Surprise, surprise, by the time I got to the PC, it was well and truly ‘fubar'ed.
Users need to manage increasingly complex security processes, and we wonder why they get it wrong. We are savvy security professionals; it's easy to scoff at the domestic users, but we are the victims of the botnets that they inadvertently allow their PCs to become part of. Should we consider taking some responsibility for the home user?
Further, if a business trades with a domestic end user that has their identity and credit card data stolen, it is often the business that gets the blame, even if it was the home user's PC that was compromised.
What's the solution? OS manufacturers are trying to make it more difficult for users to unwittingly install executables, so drive-by attacks exploiting the browser have become the order of the day.
Windows 7 looks set to rectify some of the issues with Vista, including the all-pervasive security wizards, by using a default configuration whereby the UAC only notifies the user when programs try to make changes to the computer, and not when users try to make changes themselves. Of course, it's not simple to distinguish between actions carried out by a program and those carried out by a user. We will have to wait and see whether this system will be effective.
Then there's the irritating situation where vendors don't consider that domestic users are capable of dealing with strong security. How about BT's HomeHub, which for some time only supported WEP encryption? Try obtaining good tech support about strong encryption for a domestic security product! I was having difficulty configuring a wireless repeater some time ago; the advice from the vendor's tech support team was to disable encryption. Right...
The issue crops up in other areas; mobile devices such as those running Windows Mobile and BlackBerries can be configured with a strong security policy, but what about users who work with iPhones? The device is aimed at both corporate and domestic users, so seems to end up with an odd compromise on security.
For example, when a faked SSL certificate is presented to an iPhone, the user alert is weak. It's difficult to obtain further information about that certificate and – even worse – the iPhone caches that invalid certificate permanently if accepted. Yet again, functionality and ‘street appeal' appear to have won the war against security.
Internet Explorer and Firefox are starting to get it right, and have given serious thought to the process of dealing with certificate exceptions. Extended SSL certificates turn the URL bar red or green as appropriate, and browsers now make it very clear that accepting an invalid certificate could have serious consequences.
Any instance in which the responsibility is placed on the user to make a security decision can leave a system open to attack, or result in serious damage to their computer. Complex security systems are essential in this day and age, but confusing security systems will cause more harm than good.
Maybe it's time to take a proactive role; perhaps we should be helping our friends and relatives to keep their home PCs secured, rather than reacting to the aftermath of them misconfiguring their PC security?