Generating a False Sense of Insecurity
TGIF! A recent flashmob poll of CISOs discovered that the flagrant abuse of statistics, graphs and number theory misleads at least 5*9+(sqrt 10)^3 of decision makers "most of the time". Returning guest Lori Mac Vittie came across a recent "study" that caused her to reach out for a key tool of the professional defudder - the humble calculator. Ah yes, ladies and gentleman - every number tells a story - which shelf in the bookstore that story belongs is a different matter. Read on as Lori takes aim at the numbers from a recent "study". Thanks Lori!
Technical Marketing Manager for F5 Networks.
The latest study “State of Internet Security” from WebSense indicates that 95% of all user-generated content is, well, to put it simply: crap. Even more frightening is the conclusion that “61 percent of the top 100 sites either hosted malicious content or contained a masked redirect” and “77 percent of Web sites with malicious code are legitimate sites that have been compromised.”
OMGWTFWEB2.0?
It’s enough to keep you away from social networking sites, surely! After all, the “top 100 most visited Web properties…tend to be classified as ‘Social Networking’ or ‘Search’ sites.” Facebook? Twitter? MySpace? My god, they’re probably all infected. Grab a face mask and pull that cable from the wall lest you catch some social (networking) disease from visiting your BFF Jill’s Facebook page.
Now that we’re done (I hope) having hysterics and fear-induced panic attacks, let’s consider the math for a minute, shall we?
Facebook now has 300 million users. Let’s assume that each user has at least one piece of user-generated content on their Facebook page cause, well, it’s a very user-content driven site. That means that of the 300 million home pages on Facebook that 95% (285 million) has either a malicious link or other insecure content. Conversely that means that 5% (15 million) are clean, uninfected, safe pages.
The average Facebook user has 120 friends or 281 friends, depending on which news article you might be reading. Let’s just assume for mathematical purposes that the number is somewhere in the middle, at about 200 friends per user. Let’s pretend, too, that you visit every friend’s page in a single day. Because it’s your day off, of course, you wouldn’t actually do that at work.
The mathematical likelihood that one of your 200 friends is one of the 95% that is infected is infinitesimal. Visiting a second-order friend (a friend of your friend) makes it more likely, but in mathematical terms one could still categorize the risk as statistically insignificant. In other words, all this hubub about how much content is malicious and insecure is a blown a bit out of proportion; considering the magnitude of the numbers we’re dealing with we could say 99% of all content is crap and still not raise your security risk much higher than it is today.
That is, of course, purely a mathematical view of the security risks associated with social networking. Generalizing statistics can be useful, as can statistical sampling. But we - both as pushers of that data and as consumers of the same – need to be more aware of how the magnitude of the data behind those statistics affects the actual risk involved. It’s always more fun to say 95% than to give a real number, especially when those numbers are so large that they essentially lose meaning to human beings. And we know that people will interpret 95% to mean 95% of the content they visit because that’s the way it’s presented. But is that reality? Likely not, unless their behavior on-line is such that it puts them more at risk because they’re visiting and connecting with a higher percentage of the content out there.
The reality is that there’s only so much providers and vendors can do to protect individuals online. Web application firewalls. Firewalls. IDS. IPS. Vulnerability scans. Anti-virus. SPAM filtering. These technologies are necessary to reducing risk in general and they do, but the best and primary protection mechanism in every user’s arsenal should be themselves. Users need to educate themselves on the risk inherent in today’s increasingly connected web of content and proactively examine content presented to them with a more educated eye. And they need to be aware that at least part of the risk incurred from user-generated content is self-inflicted: the more content, the more friends, the more connected they are, the higher the risk of stumbling into malicious content.
The danger in generating such a false sense of insecurity is that users will begin to fear content and links to content, which means they’ll fear the Web in general because the whole premise of the Internet, of the World Wide Web, of Web 2.0, is links and content and the intricate relationships between them. The web is useful because of links and content and user-generated content and yes, much of it contains malicious code and other nasty tricks. But rather than scare users with statistics that don’t accurately portray the risk to them we ought to do a better job educating them on how to recognize malicious content and provide simple ways for them to report or tag or otherwise mark malicious content when they do find it so we, as protectors of data and users and content, can continue to innovate new ways to automatically handle removing such content from our applications and sites.
Instead of scaring users let’s engage users and make them part of the solution rather than just another part of the problem.
