User education not answer to security

Enterprises cannot hope that education will keep computer users and systems safe, says security expert. Staying vigilant about updates is the only way.
Written by Victoria Ho, Contributor

Education is not a viable solution to preventing security issues.

In an interview with ZDNet Asia Thursday, Patrik Runald, F-Secure's senior security specialist, said systems are often compromised in spite of the user practicing safe computing.

"Even if the user is doing all the right things--making sure the page is encrypted, not opening attachments, for example--they [still] get infected. Education can only go so far," he noted.

Runald said the rising occurrence of "drive-by" downloads is "most worrying", referring to a trojan, embedded in a Web site, surreptitiously downloading itself onto a user's system when the page is visited.

"It doesn't have to be a dodgy site. It could be anywhere. You visit the site--bang, you get hit," said Runald.

A trojan could be sitting undetected in a user's system until it gets activated, such as when a user logs into a banking Web site.

The only solution, the security expert said, is vigilance in ensuring all security software is constantly updated, so that the user can be protected from threats they do not see.

"Even if people have been educated on safe surfing, they either forget or don't care," he said.

Mobile security
Although it has not happened, the technology is available to cause serious damage on mobile devices.

"All the pieces are in place for a mobile malware outbreak," said Runald.

According to the security expert, 99 percent of malware is targeted at the Symbian operating system (OS) because it is the market leader and its source code is open, making it easier to examine the OS for vulnerabilities.

Malware can also be spread quickly via Bluetooth or MMS (multimedia messaging service), making its proliferation easier, he said.

But closed operating systems are not necessarily safer. Referring to Apple's iPhone, Runald said: "In theory, by having a closed OS, it should be safer. But remember that it didn't take long after its release for people to crack it and run third-party applications. Its file system was also made accessible through cracking, and this opened the system [to] a lot of danger."

Offering an explanation for why a mobile pandemic has not occurred, Runald said there has not been a concerted effort by mobile virus coders because they tend to be "kids" who are interested in "a bit of fame and mischief", rather than being motivated by profit, such as those who code for PCs.

However, Runald cautioned that this does not rule out the possibility of a mobile outbreak. "The end game is money. Phones have a built-in billing system by being connected to a user's account. We're certain something will eventually happen," he said.

Editorial standards