PC users 'fail security tests'

By Mark Ward
BBC News Online technology correspondent

Future severe outbreaks of worms, viruses and other malicious programs are only going to be avoided with a radical new approach to computer security.

People should avoid clicking on unknown attachments

So says Marcus Ranum, a senior technologist at respected security firm TruSecure and the man credited with creating the first commercial firewall.

Mr Ranum says there is a growing divide between the way that organisations and end users tackle computer security.

Many corporations are taking effective steps to protect themselves against viruses, spam and attacks by criminal or malicious hackers using all the tools and services the hi-tech security industry can provide.

Wrong route

"Although we are making huge inroads in security for corporations," he says, "the end users do not get it."

In particular says Mr Ranum, home users do not seem to worry about security at all.

"As long as it does not hurt them they do not care," he says. "Doing the wrong thing is the path of least resistance."

Ranum: Do not trust end users

Home users with broadband net connections who have their machine turned into a spam relay by a virus will only care if their browsing speed drops significantly or if they are cut off by their provider.

Similarly, he says, renewing a stolen credit card is so easy that few people worry about it when it happens.

"Human users can fairly safely survive by not doing anything," he says, "so they are not going to change."

"We are psychologically unsuited to be secure in the way that the computer industry says we should be."

He says that any approach relying on an educated, interested and diligent population of end users that does not click on attachments, respond to spam and which regularly changes its hard-to-guess passwords, is not going to work.

Net service firms and corporations should not assume that their users will help limit problems.

"Do not trust your users to do anything right," he says.

Self-defence

In Mr Ranum's opinion, technology is going to have to change to work with us rather than force us to do the things we tend not to do.

Firms need to know what is happening to their machines

"Technology is going to have to go towards systems that just work like the cell phone just works," he says, "you do not have to patch your telephone."

"We need to make systems that users do not have to be educated to use."

Instead of concentrating on features, software makers should start thinking about security when they build products rather than add it later, he says.

Along with the creation of such systems go some common sense principles that firms using the net should apply to make it as hard as possible for users to do the wrong thing.

Companies could begin by using e-mail programs that do not open and execute attachments as soon as they arrive.

They should also keep anti-virus software up to date and keep it running to stop the malicious programs as they are spotted.

Computer systems that keep a business running that do not need to be connected to the net should not be, says Mr Ranum.

Finally, he said firms need to start monitoring network traffic to get a better idea of what is normal traffic and spot when virus outbreaks start or if a firm's computers have been hijacked by spammers.

"I think the paradigm is going to continue to be: if you are concerned about being defended you have to defend yourself," he says.