Ignorant home users are a problem. If members of law enforcement are correct, home computers account for many of the compromised machines comprising bot networks used by online criminals to steal identities or launch other types of attacks.
At the recent SC Forum in Georgia, a technology company's CSO said this issue will eventually fall to lawmakers. She likened the information highway to a freeway – before drivers speed down an on-ramp to hastily merge with freeway traffic, they need to get a license. They have to learn to drive, read a book detailing rules of the road, and take tests proving their ability.
Why not apply this to information highway cruisers? According to this CSO, the average home user is clueless about IT security. So the only way to force understanding is to legislate requiring a license to log on to the internet.
However, besides being far too Orwellian, such a scheme would be a monster to control.
Let's remember the internet is not bound by physical borders. Just how are we to ensure that other countries are enforcing the same kind of law? That's the thrust of the problem now. Many rogue users come out of countries that still have too few, or toothless, computer crime laws. Some crimes are state-sponsored.
Anyway, how many of your friends have been in a car accident with a person who didn't have a license or insurance? Yet these folks still drive. Just imagine the difficulties with enforcing a licensing mandate on the internet. Instead of a war on terror, we'd have a war on infosec criminals... and grandmas everywhere.
Technology companies need to make better software. Better-made OSs and applications would go a long way towards protecting companies and home users. But given this CSO's suggestion, which skirts the issue of strengthening coding practices, this might be just as silly a thought as her licensing idea.
So we must point to constant education, training and awareness. Raymond James' Gene Fredriksen explained during his Forum workshop that he has pushed the corporate mandate for making employees understand the importance of controls outside the company, providing users with information on issues that might come up at home. After all, he said, employees are the real corporate asset.
Private companies and government should be inundating users with tips on protecting themselves. And technology providers making profits from ignorant home users should be equipping their products with infosec tutorials packed with security guidelines and the consequences of ignoring them.
Barring that, instead of telling my grandma to patch her system, it'd be cool if the guys schooled in coding would sell her a product that doesn't force her to pick up their slack.
Illena Armstrong is the U.S. editor