Conflicting Security Messages
By gbrunett on Aug 02, 2005
No wonder people are generally confused about how to protect themselves on the Internet.
Today, I arrived at the USENIX Security Symposium in Baltimore, MD. You will get the irony of this in just a second. The conference, this year, is being held at the Sheraton Inner Harbor Hotel. As with most hotels, they offer both wireless and wired Internet access through a contracted ISP. Next to the network jack in the hotel room is a small sign that provides details about the Internet service including how best to connect to the ISP's network. One of the most prominent sections is titled "Tips for a Successful Connection". The very first tip on their list is:
Disable any VPN, proxy or firewall software that may be running on your computer.
Riiight... As if.
Unfortunately, many people (despire warnings to the contrary) will follow this advise in an effort to make connecting to the service as simple as possible. Who wants to have a problem and then sit idlely by for minutes to hours while the problem is identified and resolved, right? Not to mention - how often will technical support just start with the same task anyway: first disable any VPN, proxy, or firewall software...
The problem here is that by disabling your local firewall software (in particular), you may be putting yourself in direct violation of your company's security policy and generally accepted common sense. The end result is that the consumer (yet again) is put at risk particularly especially if they have not taken other precautions to strength the security posture of their system (e.g., hardening, patching, etc.) Further, by extension these types of recommendations can serve to put our own companies (and potentially critical infrastructure) at risk by opening opportunities for such systems to be infected or otherwise compromised while employees and consultants are on the road. Systems compromised in this way invariably end up connecting back to a corporate networks where the scope and impact of the breach can be multiplied - all because an ISP told you that it would be easier to connect to their network if you disabled your firewall, etc.
Let's take it a step further. This recommendation could be potentially viewed as in conflict with the President's Strategy to Secure Cyberspace. The strategy document clearly says (for example):
Home users and small businesses can help the Nation secure cyberspace by securing their
own connections to it. Installing firewall software and updating it regularly, maintaining
current antivirus software, and regularly updating operating systems and major applications
with security enhancements are actions that individuals and enterprise operators can take
to help secure cyberspace. (from Action/Recommendation 3-3)
The real kicker here is that no where on the pretty little information card does it instruct the user to re-enable their protections (either while connected or when done using the service). The impact of these recommendations could have a long lasting impact to the end user especially in cases where the software is not configured to automatically enable itself upon next boot or in cases where the system is simply not rebooted frequently - such as when using suspend / hibernate modes instead.
So, enough ranting for one day... What are your thoughts?
To what degree should ISPs be held liable if their recommendations are followed by consumers trying to access their network, and those consumer's are exploited as a direct result of the ISP's recommendations?
Technorati Tag: security