IT was a truly sobering experience.
Sitting for a day in a brightly lit conference room, while across the hall young graduates of computer science battled dark foes, I was educated as to the sophistication, intelligence and business nous of underground hackers.
RSA has been fighting the good cyberfight for many years now, with no small catalogue of wins, and some scars, to prove it. Some of its key personnel were allowed out from their desks to educate journalists as to the extent, skill and sheer ingenuity of the current round of attackers behind the advanced persistent threats (APT), trojans and general malware plague that bedevils the IT industry and the world at large. While they showed us botnets for sale, point and click apps to create your own Trojans, easy cash drops and mule management, they also highlighted that despite the advanced bit of APT being well deserved, the weakest link in the chain is still the user.
Unfortunately the Mark I idiot is still in mass production and its prevalence vastly outnumbers even the impressive wave of new malware instances.
Despite so many campaigns to make users more aware of the kind of techniques and tactics employed by fraudsters and hackers, there seems to be limited success.
How many times has your bank or credit card company warned you that it will never use email to ask you for your confidential personal details? Would a user not stop and wonder why, at the initial log-in stage, a bank is looking for credit card number and PIN? Apparently not is the answer that gives many a security company such as RSA such a lucrative business.
Alas, technical education alone is not the answer, as sometimes even experienced people with a good knowledge of general IT could not resist the "next, next, next" reaction when met with information windows on installing a new app. Consequently the ‘should-know-better' brigade can also fall to the fraudsters.
So what can be done to lessen the effects of ignorance, stupidity and inattention?
Well that is a tough one. What can be relied upon are the facts that the Mark I idiot will continue with its current specification and the fraudsters will persist in using any technique, technology or gambit to achieve their aims. So what does that leave? Well, it leaves machine learning and intelligence to try to cope with the shortfall.
It might mean the equivalent of the old Harry Enfield character whose constant refrain was "I do not believe you wanted to do that!"
When a user clicks through a set of information messages and options faster than it is humanly possible to read them, perhaps the system should intervene and prevent such inattention. Though this raises another important point and that is that any security that is too restrictive or awkward will be either circumvented or simply abandoned.
All of this must feedback to making sure that the user, who really is not an idiot, is security aware, but not a security operative. I fully admit it is a generalisation to refer to users as idiots when in fact they are usually well intentioned people, with too much to do and not enough time to do it, who just want to get a job done.
Perhaps what is needed is a fundamental rethink of how user interaction is conducted when it comes to using applications that require high levels of security.
What is currently characterising the ‘through a glass darkly' malware industry is an ease of use that is frightening. The real practitioners are making their capabilities available to the uninitiated through simple interfaces that are stunningly well designed. Perhaps it is time for the white hats to learn from the black hats and mirror that ease of use in all aspects of end user security, ensuring that the end user does not end up as an idiot and a victim.