The current ‘state’ of security…

One day… a request for help!

Recently I was called in by a friend to “fix his computer“. It was acting up and not working as smoothly as before. To make a long story short, my investigation brought to light that a piece of malware had found it’s way on the machine, regardless of current and up-to-date antimalware/antivirus software. During my intervention my friend explained he recently – while surfing the web – was presented several messages very similar to those presented by the security suite when it wants to add a -valid- exception to its blocking policies. It confirmed my suspicions. To make matters worse: his backups – yes, he made them regularly – were also infected.

“So,” he asks me, “what’s the use of all this fancy so-called security software?”

To be honest, I felt like I was -partly- to blame, being a security inclined IT professional. We fail, miserably at explaining and teaching good security practices.

Observation… dear Watson!

The above story illustrates that although you have security measures in place and take regular back ups, you still can get bitten by malicious software. So what went wrong?

Lately I am more and more astonished in what people put up with from computer systems. I wonderingly see them put up with the annoyances of day-to-day computer use, and how it impacts the (in)security of our information ecosystem.

I mean, daily I am asked questions about computers that are starting erratic or showing any form of unexpected behavior, such as but not limited to: cryptic error messages, program or even systems hangs, crashes, and the like. One common denominator in all those occurrences is that the layman, non-computer geek is at a loss and needs a “specialist” or “computer wizz” to solve his issues.

Messages, messages…

In the above story, the installation or download of the malware triggered the security suite to react very similar to when a benign software download and installation is performed. The difference between good and bad was not clear to the user.

So what went wrong here?
First of all, the user acknowledged a message he did not fully understand. Secondly messages of a different nature are often to much alike, -is there an obvious difference between a warning and a confirmation question? Thirdly, complexity makes matters more difficult to solve.
So, why does an end user press YES or OK?
Software has a bad habit of asking the user for information or confirmation in the most cryptic ways. Those messages are answered with the ok -or if given a choice- the yes-button, because positive means good, right? The more computer-minded people among us will acknowledge that  this is not always true.

In most cases when the message is not clear the default behavior should be: “Do not acknowledge what you do not understand.” This immediately runs into problems, since cancelled messages have a tendency of resurfacing as soon as the end user will retry what he was trying to accomplish before. Cancelling the message stops the user from achieving his desired goal. Ultimately, the user will be so annoyed that they will press the button that shows them progress, whatever collateral  consequences (e.g. allowing malware to install) are beyond him/her.

So, reason 1: users acknowledge messages they do not understand.

In my view there are several reasons for this behavior: First of all the IT-community does a crappy job presenting messages that are understandable by the average Joe or Jane. I know this is hard, but we should really do better at this. Secondly we need to educate the layman about computers and their cryptic messages, in a language the layman understands.

A second cause might be called similarity of messages. The bulk of software programs ask the end user for confirmation, with messages that look very similar to warning messages. As an effect, end users are very well trained in clicking the positive answer. When a user needs to be warned of possible danger it should be clear from the message that acknowledging is not a good idea. Clearly, again, this is a very difficult issue to be solved but we should perhaps rethink the how and when software asks for confirmation or warns end users.

So, reason 2: Messages with different meaning are too much alike.

Thirdly, computers are complex informational ecosystems that consist of several hard- and software components which themselves are feats of complex electronic engineering. Basically, one might think it a miracle a modern computer works at all. So it is almost inevitable that conditions will arise in which it is necessary to ask the end user of the system for more input in order to be able to decide on a way forward. This makes the job of the IT professional hard: we can not foresee all possible outcomes of what the users does with his system. Hell, we don’t even have a clue about all the systems our solutions will possibly be run on.

Are we lost ?

Heavens, no! Although I realize, that a solution to the above will be evolutionary in nature, and complex, I am positively convinced that we have the tools to complete and succeed in the end-goal which is a computing environment that any one can correctly understand and use safely and securely.

Let that be a new year’s resolution: Help inform users and try and make your solutions user friendly: i.e. understandable to the non-IT inclined, yet safe and secure. And if you have to pop a message: make it informative, so that we do not need a specialist every time it pops.

Stay Secure! Have a fruitful 2011…