I received this message from my hotel Internet provider which took action to limit my access for 10 minutes to 56Kbs due to some unknown intrusion detection signature/heuristic.
I was both impressed that a hotel would have such a device in-line to protect the general Internet from aggressive and potentially damaging users and angered by the punitive action taken against my innocuous activity.
Like a well-trained security professional, I immediately took action to mitigate any damage to my system from unwanted malware. I ran my security tools (anti-virus, software updates, spyware/adware removal, etc.). After those did not find anything I assumed a false positive, sucked up the slow Internet, went and read a book, and then returned to my ‘blazing fast’ 2Mbs Internet access.
It was not an hour later that I again received the message and punitive action. This time I ran Wireshark and sniffed all the traffic to/from my laptop for the next hour and analyzed the output. I found nothing of interest. I was now convinced this was a false positive after using my years of security knowledge and forensic ability and finding nothing suspicious on my laptop. (I am not going to assume there was nothing, but I can only go as far as I can).
Now I was just upset. We in security like to think of ourselves as more knowledgeable than the average user about threats and mitigations. We can find threats they cannot and we can furthermore mitigate those threats for them without their knowledge protecting them on the front-lines (e.g. Gateway, ISP, etc.).
However, we must also remember that computing systems are here for users – that is their entire purpose, to ultimately provide a benefit to human users. Therefore, security must always take the user into account and include them whenever possible.
Security must begin and end with the user. This means that when security is first envisioned it must understand the purpose of the system and the needs of a user. If security were to make a system unusable, then there is no purpose in the system even existing and hence our existence as security professionals is questioned. Second, this means that users must be included when possible in the security cycle.
We must help users help themselves! Messages such as the one above (e.g. “There is a problem with your system”) do no good. It does not help solve any problem. It actually makes the problem worse because now the user must spend time trying to fix a problem that may or may not exist. http://www.frontend.com/design/effective-error-messages.html
Second, it does not inform, increase the knowledge of, or educate the user in any way. This message did not inform the specific detection (e.g. signature/heuristic), suggest effective mitigation, nor provide a suggested severity of the threat.