Full Disclosure mailing list archives
RE: Is user education a lost cause?
From: WolfgangK () usfk korea army mil
Date: Wed, 21 Jan 2004 10:24:59 +0900
CLASSIFICATION: UNCLASSIFIED 1. Security awareness training is an "elusive necessity". I have seen policy that says users must have training. Yet without specifics on who must provide training or emphasis on resourcing training, it may not occur, or at best the process is caught in a "do while" loop, infinitely circling and pointing to someone else better suited for the mission. 2. One objective of training should be to defeat the social engineers. a. This listing frequently discusses new phishing ploys. Without awareness, organizational users may find themselves buried withing the following statistics: - Scams up 400% during Christmas season 2003 - 20 new scams over two-week period - 60 million bogus E-mails - 5 - 20% take the bait b. Kevin Mitnick and William Simon, in The Art of Deception: Controlling the Human Element of Security, ISBN:0471237124, John Wiley & Sons, present the viewpoint that that the bad guy may follow the path of least resistance. (1) Social engineering can provide that path around all defensive roadblocks that the good guys put in place - defense of computing environment / system configuration; defense of enclave boundaries / firewalls, router ACLs; defense of network & infrastructure / encryption; supporting infrastructure / PKI and IDS. (2) In noting the plausibility in pulling off social engineering, the authors reference a quote attributed to Einstein "Only two things are infinite, the universe and human stupidity, and I'm not sure about the former." 3. Bruce Schneier, as techie with maturing appreciation of how the human element is important to information assurance, in his book Secrets and Lies: Digital Security in a Networked World (John Wiley, ISBN 0-471-25311-1)wrote: - "Security is not a product, it's a process." - Moreover, security is not a technology problem-it's a people and management problem. - "If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology." 4. Bottom line: user training is essential if one wants to minimize the need for desktop support fixing polluted workstations. However, there is always a core requiring additional homework. At a time before Outlook security patches, after reading my Email warning on "I LOVE YOU", my officemate attempted to open the .VBS attachment. He complained that it wasn't doing anything. It was. He called desktop support for assistance in cleaning his workstation. Karl Wolfgang Information Systems Security Manager disclaimer: on official policies stated or implied -----Original Message----- From: Schmehl, Paul L [mailto:pauls () utdallas edu] Sent: Wednesday, January 21, 2004 7:16 AM To: full-disclosure () lists netsys com Subject: [Full-disclosure] Is user education a lost cause? <snip> What about changing users? You don't allow for any of that at all? I think it's not only possible but will happen over time. I think one of the "security community's" basic responsibilities is to educate users and to never give up on educating users. After all, one of the most important parts of our job is writing policy, is it not? If that's true, and yet we don't believe users can be educated, then why is policy writing so important? Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html Classification: UNCLASSIFIED
Current thread:
- Is user education a lost cause? Schmehl, Paul L (Jan 20)
- Re: Is user education a lost cause? Ron DuFresne (Jan 20)
- Re: Yes, user education is a lost cause ;-) Tobias Weisserth (Jan 21)
- <Possible follow-ups>
- RE: Is user education a lost cause? WolfgangK (Jan 20)