There are two main attack vectors on today’s Internet. First the programs that users make use of to connect to websites, and second user ignorance, carelessness and lack of security sense.
Inexperienced users fall prey to attacks at a much higher rate than experienced users. Even commonly known best security practices, like making sure that an Internet browser is updated when the developer releases a new security patch, are often run in a time frame that is giving attackers ample time to exploit those issues.
But it is not only the technology that is making attacks successful. It is also its users. Phishing for instance has been a problem for more than a decade on the Internet. One would think that users would learn to identify phishing emails by now, but that’s not the reality. People fall for phishing attacks on a daily basis. This article would go to far to look at the root causes for this, but it is likely that ignorance plays a large part in this.
Lets go back to the browser for a moment. Most users know that they have to upgrade the browser when a new version comes out. Most browsers come with automatic update checks and installations these days. Only Google Chrome updates without user interaction, the other browsers, at least for now, display the update notification and give the user the option to run the update. If users opt out, they leave their browser insecure if the update fixed security issues.
Do you want to know how your browser compares to others? Sites like Browserscope allow you to run tests and compare the results with other versions of the same browser and Internet browsers from other companies.
Lets assume you have got your browser updated to the latest version, and that you generally update the application immediately when a new version comes out. You are secure now, right? Nope, you are not. Why? Because it is not only about the browser software. Browsers make automatic use of other applications, commonly called plugins. Popular plugins like Adobe Flash, Microsoft Silverlight or Java are attack vectors as well, and successful ones too.
If you fail to update the plug-ins that are enabled in the browser, you are still prone to attacks. That’s why companies like Mozilla have started to integrate plug-in checks into the browser to inform the user about updates.
But you are secure when you update your operating system, browser and plugins whenever they are updated, right? Wrong again. Two attack vectors remain. First the user and second software vulnerabilities that have not been discovered or fixed yet. (There are actually more if you consider the local network as well. The computer could have a virus for instance that could render all browser security pointless. Another vector are local area network attacks)
A browser cannot help a user who enters his credit card number, verification code and social security number in a web form on a site like paypal.com.sxrixxree.cn. Browsers could block the web address if it has been previously identified as a phishing website, if it was not, it is up to the user to come to that conclusion.
Browser developers are trying to automate security as much as possible, especially for users who do not know a thing about it. But even with all that automation, it boils down to the individual user in the end. Tech savvy users know that everyone should have at least a basic understanding of security to avoid the dangers on today’s Internet. The reality on the other hand looks grim, and it does not look like it is going to change anytime soon.
How do you cope with the dangers on today’s Internet? Do you try to educate family and friends, or have you given up on that?
No comments:
Post a Comment