I've been saying for a while that there's a pretty big mismatch right now between what everyday people need with respect to computer security and what the computer security community, both research and industry, are actually doing.
The report presents a number of fascinating findings. For example:
- Very few exploits actually use zero-day vulnerabilities. Microsoft's Malicious Software Removal Tool found no major families of vulnerabilities using zero-day attacks. Microsoft's Malware Protection Center also found that, of all exploits used, at most 0.37% of them used zero-day attacks. Here, zero-day is defined as a vulnerability where the vendor had not released a security update at the time of the attack.
- 44.8% of vulnerabilities required some kind of user action, for example clicking on a link or being tricked into installing the malware
- 43.2% of malware detected made use of the AutoRun feature in Windows
The reason Microsoft's report is important is because it offers actual data on the state of software vulnerabilities, which gives us some insight as to where we as a community should be devoting our resources. As one specific example, if we could teach people to avoid obviously bad web sites and bad software, and if AutoRun were fixed or just turned off, we could avoid well over 80% of malware attacks seen today.
However, there's a big mismatch right now between what the data says about the vulnerabilities and what kind of research is being done and what kind of products are being offered. For example, there are at most a handful of research papers published on the user interaction side on protecting people from vulnerabilities, compared to the 500+ research papers listed in the ACM Digital Library on (admittedly sexier) zero-day attacks.
This isn't a mismatch just in computer research. Just go to any industry trade show, and try to count the number of companies that have a real focus on end-users. No, not network admins or software developers, I mean actual end-users. You know, the
people that try to use their computers to accomplish a goal, rather than as a means towards that goal, like accountants, teachers, lawyers, police officers, secretaries, administrators, and so on. The last time I went to the RSA conference, I think my count was two (though to be honest, I may have been distracted by the sumo wrestler, the scorpions, and the giant castle run by NSA).
Now, I don't want to understate the very serious risks of popular themes in computer security research and products made by industry. Yes, we still do need protection from zero-day attacks and man-in-the-middle attacks, and we still need stronger encryption techniques and better virtual machines.
My main point here is that attackers have quickly evolved their techniques towards what are primarily human vulnerabilities, and research and industry have not adapted as quickly. For computer security to really succeed in practice, there needs to be a serious shift in thinking, to one that actively includes the people behind the keyboard as part of the overall system.