Re: The home user problem returns

["Marcus J. Ranum" <mjr () ranum com>]

Mason Schmitt wrote:
> I also don't think the user education problem is an epidemiological one
> either.  To suggest that ignorance to a growing and changing computer
> security environment is somehow like a rapidly spreading pathogen is a
> little bit of a stretch.

I'm sorry, I really screwed up my explanation. Can I have another throw?

Don't look at the problem from a "successfulness of prevention" standpoint,
look at it from a "propagation of failure" standpoint. With something like AIDS,
if you can make a significant percentage of the population aware of the problem,
you've made it possible for the "aware people" to enclave, meet, and breed, and
isolate the "unaware people" or those who have decided to argue in favor of
natural selection by taking risks anyhow. So, in an area where you can educate
50% of the population about something like AIDS you've got a fair chance that
the 50% you educated will survive.

Now, look at Internet security. If I educate 50% of the population about the
need to worry about security, I still lose - horribly - because the other 50% of
my population fails and their machines are used to attack the educated 50%!!
That wouldn't be a problem except for transitive trust(*) - a big chunk, I have
no idea how big, of the educated 50% would find themselves vulnerable to
attacks from trusted parties and would be vulnerable, and then you'd very
quickly be left with the only survivors being those who didn't trust anyone.
Another factor is that the environment would become poisoned after a certain
point. I am on a satellite internet hookup (pity me!) and when there's a new
worm out there doing a lot of scanning I can pretty much rest assured that
I will have no internet access for 2 or 3 days. I call this "adaptive packet
clogging intrusion prevention" -- it's effective but annoying. Wait 'till Gartner
hears about it.

So, that's a lot of why I am so hard on the topic of user education. Unlike
other problem areas where education is effective, user education in
computer security is of questionable value because the propagation
effect of one user making a mistake can overwhelm the results of your
educational programme instantly. We've ALL heard the stories of the
dweeboid executive who brings his laptop into the corporate WAN and
plugs it in and releases something awful behind the firewall, right? Well,
in 1/4 second, the entire educational programme at that organization
was utterly mooted. When you're fighting AIDS or illiteracy, local
failures do not propagate into massive system-wide failures.

Please - don't get me wrong: education is great. But if corporations want
to improve their security, it's not a particularly effective investment, in my
opinion. I know of no studies that shed light one way or another on this
question and I probably wouldn't trust them if I did. Why not? Because
there are some organizations that have chosen education as a
SUBSTITUTE for mechanism. My guess is that they'd skew the metrics
very sharply in the direction I'm predicting, and that wouldn't be pretty.

[Below I will use the term "Mechanism" here to abstractly mean
"technological enforcement system" - firewalls, AV, attachment stripping,
IPS, APCIP, whatever. Loosely, you can think of it as "something that protects
the user whether they want it to or not"]

I guess there's a matrix we'd want to explore:
        #1 - No Security Mechanism, No Security Education
        #2 - No Security Mechanism, Security Education for users
        #3 - Security Mechanisms in place, No Security Education
        #4 - Security Mechanisms in place, Security Education for users

I predict that of those 4, the security differences between #3 and #4 would be
minor. I further predict that the difference between #1 and #2 would be minor.
I would also predict that the largest difference would be between #4 and #1.
Put more simply: my guess is that the measurable impact of education
versus mechanism is minor. Add some cost factors in and you could
make a WAG at an ROI for security education. Then you'd take your
education programme out and shoot it.

Those of you who are familiar with the computer security calendar I did
for SourceFire back in '03
http://www.ranum.com/security/computer_security/calendar
probably don't know that the original concept
for December was not "Leadership" it was:
User Education
(Our users don't need Security Education; they need a good beating)
Photograph of a hand with a riding crop, wearing a studded leather
glove.
Unfortunately, when I went into the studio to do the shoot, I had assembled
all the props for the photography and the Southern States in Woodbine was
closed on sundays and I couldn't get the riding crop prop as I had planned.
So Tal's wife was kind enough to stand in at the last minute for December.

mjr.
(* I was going to include "ignoring transitive trust" as dumb computer security
idea #7 but the article was written for executive gimboids and the idea of
succinctly and clearly explaining transitive trust was daunting) 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards