Sick Computer: Your computer is sick. Not sick in a good way. Many people believe that when they buy a brand new computer, it was designed and configured with security in mind, but it wasn’t. It was designed and configured with usability in mind. Years ago I worked for a small Wireless Internet Service Provider (WISP) in Ogden Utah. Once the owner told me that whenever a customer called his technical support line for help, the company lost the profit they would have made from that customer for the entire month. The margins were that small.
Shiny, But Not Secure: When you buy a shiny new computer, the manufacturer wants you to be able to easily set it up yourself. They have gotten much better about secure setup than they used to be. Indeed, your Microsoft Windows 10 Operating System is much more secure than the previous Windows versions, but there is still a balance that the manufacture is trying to strike. They don’t want you to call tech support.
Usability vs Security: Security is a spectrum with usability on one end and security on the other. The closer you get to security, the further you move from usability. That is where the problem resides. YOUR goal may be to have the most secure computing experience, but the company that made your computer and the Operating System want it to be usable so you don’t call tech support.
Most end-users simply don’t have the experience to securely configure their computer. It takes time to become enough of an expert in the field to securely configure your PC or Mac. Hiring someone to secure your computer is very costly as well.
Preventive Measures: Secure configuration of your computer is preventative. You are trying to prevent threats from causing harm to your computing assets. The ways a threat can cause harm are called vulnerabilities. Bugs in software are one example. Things that reduce vulnerabilities are called “controls”. A software patch (or update) is a control to reduce the vulnerability of a software bug.
Asset, Control, Threat: You can think of it this way. It’s not unlike putting in a chain link fence (the control) to keep the javelina (the threat) out of your garden (the asset). You are not naïve enough to think the fence will keep tiny birds off the peach tree. That’s not what the fence was designed for. So you add a different control designed for birds. Many people will place a large fake owl close by. It’s a deceptive control to fool the birds into thinking a predator is lurking.
Real Life Example: Your house has controls to reduce the vulnerabilities a burglar might use to break in. Locks on the doors and windows. But a determined burglar can still get in if they have the opportunity. You may have installed motion sensors to alert the police in the event of a break-in. That’s a detective control to further reduce the vulnerability your preventative controls may fail to mitigate.
Prevention Always Fails: In the face of an advanced threat, prevention always fails. Eventually. You should consider installing some detective controls to alert you when they have.
Options: Lastly, prevention and detection are not your only recourse. You can get out in front of this dilemma by introducing a deception control. As an example, every time you visit a website, your browser announces to the web server a tremendous amount of valuable information, namely, what browser, and what Operating System you are using. This is usually enough information for a threat to deploy an attack. But you can change your browser settings to lie about it. Then when you visit a compromised website, the threat will deploy the wrong attack. This deception technique isn’t 100% foolproof, and it may cause some of your favorite websites to not display properly, but it’s something you should look into.
It’s a Risk Call: Like the WISP I worked for back in Ogden, profits are on the line. The vendor of your computer is more concerned with you having a usable experience. It’s up to you to make it secure by adding deception and detection controls to your quiver.