Active Response

Always A Bad Day For Adversaries

Security Must Not Forget the User

Hotel Internet Network Intrusion Detection System at Work

I received this message from my hotel Internet provider which took action to limit my access for 10 minutes to 56Kbs due to some unknown intrusion detection signature/heuristic.

I was both impressed that a hotel would have such a device in-line to protect the general Internet from aggressive and potentially damaging users and angered by the punitive action taken against my innocuous activity.

Like a well-trained security professional, I immediately took action to mitigate any damage to my system from unwanted malware.   I ran my security tools (anti-virus, software updates,  spyware/adware removal, etc.).  After those did not find anything I assumed a false positive, sucked up the slow Internet, went and read a book, and then returned to my ‘blazing fast’ 2Mbs Internet access.

It was not an hour later that I again received the message and punitive action.  This time I ran Wireshark and sniffed all the traffic to/from my laptop for the next hour and analyzed the output.  I found nothing of interest.  I was now convinced this was a false positive after using my years of security knowledge and forensic ability and finding nothing suspicious on my laptop.  (I am not going to assume there was nothing, but I can only go as far as I can).

Now I was just upset.  We in security like to think of ourselves as more knowledgeable than the average user about threats and mitigations.  We can find threats they cannot and we can furthermore mitigate those threats for them without their knowledge protecting them on the front-lines (e.g. Gateway, ISP, etc.).

However, we must also remember that computing systems are here for users – that is their entire purpose, to ultimately provide a benefit to human users.  Therefore, security must always take the user into account and include them whenever possible.

Security must begin and end with the user.  This means that when security is first envisioned it must understand the purpose of the system and the needs of a user.  If security were to make a system unusable, then there is no purpose in the system even existing and hence our existence as security professionals is questioned.  Second, this means that users must be included when possible in the security cycle.

We must help users help themselves!  Messages such as the one above (e.g. “There is a problem with your system”) do no good.  It does not help solve any problem.  It actually makes the problem worse because now the user must spend time trying to fix a problem that may or may not exist.

Second, it does not inform, increase the knowledge of, or educate the user in any way.  This message did not inform the specific detection (e.g. signature/heuristic), suggest effective mitigation, nor provide a suggested severity of the threat.

[important]We in the security community need to better incorporate human factors/user interface knowledge into security and integrate the user from the beginning to the end of our security engineering.[/important]



8 Tips for Maintaining Cyber Situational Awareness


United We Stand, Divided We Are Falling: Are Security Collectives a More Effective Model?


  1. Brad

    I had that sort of thing happen to me — false-positive, no clue why it happened, except that my access was blocked entirely. Had to change my MAC address to get back online, but no further blocks once I did that.

  2. Ethan

    Great Article! I was just thinking about that the other day. Though I was thinking more on the lines of inconvience. I think that a good information security program should not be a huge inconvenience to the user. If that is the case then security will be looked upon as simply more time and more trouble then what is rewarded. The security program of a company lets say, needs to show the user that good security practices should be as common as good behavior and that doing so will save them inconvenience (ie…identity theft, stolen data) more than it causes it.

    • Good observation. It has been understood for awhile that if security measures are deemed burdensome by the user they will circumvent the security. Unfortunately, many systems do not implement this simple concept because developing good AND usable security is difficult.

  3. Crich

    Education is key for all! It must be the home environment as the first focus. If a user has good working practice at home, it will translate to work. Policy just feels like it’s getting in the way. Then scary messages are easier to understand, once the user can put them into context with their home world.
    We must be careful, as some security people have their empires to maintain..and that means fear instead of understanding.

Leave a Reply

Powered by WordPress & Theme by Anders Norén

%d bloggers like this: