|– There is a need to educate Internet users in basic security concepts. This is the only way of reducing the number of people affected by cyber-crime, and this responsibility must be shared between the public and private sectors.
– Sebastian Muriel, general manager of Red.es: “80% of security problems can be resolved with common sense.”
– The 1st Security Blogger Summit, organized by Panda Security, brought together 200 people involved in IT security and hosted a roundtable discussion involving 11 opinion leaders from the United States and Spain.
One of the main conclusions reached in the 1st Security Blogger Summit relating to the security market and the need for greater protection, was outlined by Bruce Schneier: “We have to bear in mind the economic factors behind the technology that we have. We could have better technology, but we are not prepared to pay for it. The market rewards the cool and the fast, but not the good.” The need to educate Internet users in the basic concepts of security is the only way of moving forward in this field and reduce the number of cyber-crime victims. This was another of the focal points of the event held yesterday in the Círculo de Bellas Artes in Madrid and organized by Panda Security (more information at www.securitybloggersummit.com).
This event brought together 200 people from the world of IT security, including representatives from the public and private sectors, journalists and bloggers.
Participants in the roundtable discussion were Bruce Schneier (blogger and a guru in IT security), Andy Willingham (Information Security Officer of a financial sector company and author of the blog Andy ITGuy), Antonio Ortiz (co-founder of Weblogs SL), Steve Ragan (Security Editor for Tech Herald), Byron Acohido, Javier Villacañas (COPE journalist and author of the blog “A todo chip”), Ero Carrera (from Hispasec), Sebastián Muriel (General Manager of Red.es), Francisco A. Lago (from the National Institute of Communication Technologies (INTECO) ) and César Lorenzana (from the Technology Crime Division of the Spanish Civil Guard).
The third issue of the day dealt with the need to share responsibility for educating users between the public and private sector through awareness campaigns. To this effect, Andy Willingham explained that “it is users who must learn how to use their computers safely, as they are the ones in danger”. According to the General Manager of Red.es, Sebastián Muriel, “80% of security problems could be resolved by common sense”.
Education and responsibility
The session started with a 15 minute talk from Bruce Schneider. He emphasized the major advance that the Internet represents, calling it: “one of the most important revolutions after Rock and Roll” and highlighting the economic factors that underlie security problems: “We could have better technology, but we are not prepared to pay for it. The market rewards the cool and the fast, but not the good.”
He also drew attention to the need not to externalize responsibility for security by passing it on to governments, but for users and companies to play their parts: “In the case of credit cards, the government did not educate users, it passed the problem to companies and they investigated. The same has to be done: The problem cannot be shifted just to users, but also to banks and other companies.”
Other speakers also put forward their opinions with respect to the responsibility for security. Byron Acohido said that “90% of the problem is not down to the user. If a system with errors is launched on the market, this is not a problem of the user”.
On the other hand, Francisco Lago believed that: “The main problem is user behavior” and said that awareness campaigns about good practices were the best vehicle for avoiding security risks. Andy Willingham and Steve Ragan, coincided in the need for experts to lead this education, but with simple, comprehensible language. “There are blogs and security media, but users do not understand them and as long as they don’t, we will continue to see the same errors time and time again”, underlined Ragan.
Current situation and responses to cyber-crime
All speakers agreed that one of the main trends of the last few years has been the professionalization of cyber-criminals. Cesar Lorenzana explained: “It’s not that there is more malware, it’s that malware is now profitable for criminals. It’s a way of earning a living”. Francisco Lago emphasized the false sense of security among users: “80% of users believe that their computers are protected, yet three quarters of them are infected”.
Antonio Ortiz, illustrated the lengths that cyber-crooks go to in order to keep a low profile and avoid public institutions from pursuing them: “Owners of botnets do not offer services for DoS attacks on major websites or government pages because then politicians would focus on the problem. They don’t want that kind of attention.”
Regarding the response that governments and the security sector could provide to this threat, Bruce Schneier underlined the difficulty of pursuing this crime: “This is an international problem, which makes it more difficult to pursue, to collect evidence, etc. We are good at countering local theft, but not transnational crime”.
When asked about the financial consequences, Byron Acohido gave the example of the German cyber-crime gang known as Cosmos, who earned $7 million from attacks in just one week.
Finally, when asked by the public about what basic measures the average user can take to avoid security risks, the panelists highlighted education as the main remedy to the problem, to which Bruce Schneier added: “Backup and update all programs.”
You can see more images at http://www.flickr.com/photos/panda_security/tags/summit/