Welcome!

Linux Authors: Elizabeth White, Frank Huerta, Pat Romanski, Lori MacVittie, Esmeralda Swartz

Related Topics: Web 2.0, XML, Linux

Web 2.0: Blog Feed Post

It All Comes Down to YOU – The User

Reactionary Behaviors when Gloom gets Delivered

One of my favorite Security writers, Bruce Schneier, had an interesting entry last week called Reacting to Security Vulnerabilities where he discusses the recent reports about the security flaw in the SSL protocol and how we as users should relax and essentially, ‘do nothing.’  “What?!? – Do nothing??” 

Yup, and he has some good reasons why. 

Usually, new exploits, threats, breaches and the typical security stuff that garners the headlines, makes security folks jump. 

Jump to search the internet for anything related, jump to see if our systems are infected or vulnerable, jump to put an action plan in place to reduce the risk.  These are reactionary behaviors when gloom gets delivered and we fully don’t understand the risk.  I’m not saying ignore warnings or plan for the worst, but since several new ‘weaknesses’ seem to get published on a monthly basis, you do need to prioritize and put some context around it.

computer_bomb With anything in life, there are certain things we have control over and others we do not. 

For many years now, we’ve been warned that it is risky to click on embedded links in a suspicious email or dangerous to click through the certificate warnings from your browser and hopefully many people have changed their behavior.  That’s within our control.  But when a researcher finds a specific vulnerability in a particular protocol, potentially affecting several vendors, there is really not much an individual user can do.  Sure, you or the IT department can check with their vendor to see if it applies to their product but would you immediately stop using something when it’s a critical part of your infrastructure.  Once again, which is usually the case for security, you must weigh the risks and determine if it’s within your control.  Bruce points out that many of the vulnerabilities affect systems that are out of our control and if your data is already out there, unplugging your computer will not lessen the potential exposure.

What you can do is simply stick to your general security practices (AV/FW, OS patch, Auto updates, backups, common sense), which already protect you from a slew vulnerabilities but let the experts/vendors figure out the best way to handle new exposure(s) since they must deal with them on a daily basis.  If the risk is too great and your infrastructure is vulnerable, push your vendor for an answer.  Most vendors, especially with security products, are fairly reasonable and typically move fast when it comes to security holes – their reputation and revenue are at risk.  You can also report to CERT if you’re not getting a response but most vulnerability ‘finders’ alert the vendor fist and give them a chance to fix or respond to it.

Protecting yourself from the multitude of threats on the internet can be daunting, never ending, and always changing so you do need to be vigilant with the things you can control but as you peruse the Top 9 Beaches of 2009 or the Top 15 Most Common Attacks, you find there was/is little you could do to avoid them.

ps 

Read the original blog entry...

More Stories By Peter Silva

Peter Silva covers security for F5’s Technical Marketing Team. After working in Professional Theatre for 10 years, Peter decided to change careers. Starting out with a small VAR selling Netopia routers and the Instant Internet box, he soon became one of the first six Internet Specialists for AT&T managing customers on the original ATT WorldNet network.

Now having his Telco background he moved to Verio to focus on access, IP security along with web hosting. After losing a deal to Exodus Communications (now Savvis) for technical reasons, the customer still wanted Peter as their local SE contact so Exodus made him an offer he couldn’t refuse. As only the third person hired in the Midwest, he helped Exodus grow from an executive suite to two enormous datacenters in the Chicago land area working with such customers as Ticketmaster, Rolling Stone, uBid, Orbitz, Best Buy and others.

Bringing the slightly theatrical and fairly technical together, he covers training, writing, speaking, along with overall product evangelism for F5’s security line. He's also produced over 200 F5 videos and recorded over 50 audio whitepapers. Prior to joining F5, he was the Business Development Manager with Pacific Wireless Communications. He’s also been in such plays as The Glass Menagerie, All’s Well That Ends Well, Cinderella and others. He earned his B.S. from Marquette University, and is a certified instructor in the Wisconsin System of Vocational, Technical & Adult Education.