RE: The home user problem returns

["Hawkins, Michael" <MHawkins () TULLIB COM>]

Look what was said some time ago:

"The superior man, when resting in safety, does not forget that danger
may come. When in a state of security he does not forget the possibility
of ruin. When all is orderly, he does not forget that disorder may come.
Thus his person is not endangered, and his States and all their clans
are preserved." -- Confucius

Ask yourself this question: Why did Confucius feel the need to say the
above? Was it because all people are constantly aware of existing and
new threats as they exist in and around their environment? Or was it
because Confucius knew that people were habitually forgetful entities
that quickly fall into the most hideous comatose states before a
repeated unwanted event wrenches them back to reality where they linger
only momentarily in their sorrow before falling back into the same
comatose life, happily cruising along into their next repeated
misadventure?

Mike Hawkins

Office: 212-208-3888

Mobile: 917-887-3614

-----Original Message-----
From: firewall-wizards-admin () honor icsalabs com
[mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of
hermit921
Sent: Tuesday, September 13, 2005 6:46 PM
To: firewall-wizards () honor icsalabs com
Subject: RE: [fw-wiz] The home user problem returns

I will weigh in with my experience.  About 2000 users in my company, and

nearly 20% of them managed to get infected during one week a year or two

ago.  That mess generated enough pressure that many of the desktops now 
have patches forced onto them, but almost none of the users learned 
anything.  I take that back, several of them learned I am a NUT, because
I 
said Internet Explorer isn't safe to use.

On the good side, I have a friend who is almost totally computer 
illiterate, but has never had a virus or spyware or any other malware.
Rule #1: never double click any attachment.  If you have to open it,
choose 
a program that should open that type of file and do a File -> Open.
Blindly following these rules has kept her safe for over 10 years.  So I

know people can learn, at least by rote, regardless of understanding.
Rule #2: never use Microsoft software.  This probably helps an immense 
amount, too.

hermit921


At 10:09 AM 9/13/2005, Scott Pinzon wrote:
> I've been watching with a certain morbid fascination as Marcus has
> ranted in his own blog and in FW-WIZ (and who knows where else) that
> educating users about security is one of the "dumbest ideas" and "if it
> was ever going to work, it would have by now." I have tremendous
respect
> for you, Marcus (epecially since you have, I dunno, six times the years
> in computer security that I do). But I can't help feeling, in my
> pipsqueak opinion, that on this one you're way off base.
>
>  My reasoning, in short:
>
> -- Ignorance is never better than knowledge in any realm. But
particular
> to network security, my experience is that most clueless users are also
> people of good will who will cease dangerous behaviors once they
> understand those behaviors ARE dangerous.
>
> -- Educating users is another layer in "Defense in depth." If 10 out of
> 100 users click evil email attachments, and through education you
reduce
> that to 3 out of 100, you've improved that layer.
>
> -- Educating users has been proven to work at company after company.
> Help desk calls, viral infections, falling victim to phishing emails,
> and more, have been quantitatively and demonstrably reduced at
companies
> that institute end-user security training.
>
> -- And how do you know "it" (educating end users) is not working? We
> have no before/after comparison on what the Internet would be like if
> all of us who preach security had stopped five years ago.
>
> Maybe I'm misunderstanding you, but my take-away from your blog article
> is that you are so discouraged by end-user ignorance, you think we
> should all stop wasting our breath on them. Your recommendation is that
> we set up an environment through quarantining and what-not where users
> have no opportunity to hurt themselves. In rebuttal, I cite the crusty
> old maxim, "Genius has its limits, but stupidity is infinite." We CAN'T
> (through technology) create an environment where clueless users can't
> hurt themselves. To keep a network secure, we need users on our side.
We
> can get them there if we try.
>
> Am I really the only one on this list who thinks so? Or Marcus, did I
> misinterpret you?
>
>
> SCOTT PINZON, CISSP
> Editor-in-Chief, LiveSecurity Service
> WatchGuard Technologies, Inc.
> 505 5th Ave. South | Suite 500 | Seattle | WA | 98104
> 206.613.6648

[deleted] 


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
The information contained in this email is confidential and may also contain privileged information. Sender does not 
waive confidentiality or legal privilege. If you are not the intended recipient please notify the sender immediately; 
you should not retain this message or disclose its content to anyone.
Internet communications are not secure or error free and the sender does not accept any liability for the content of 
the email. Although emails are routinely screened for viruses, the sender does not accept responsibility for any damage 
caused. Replies to this email may be monitored.
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards