Firewall Wizards mailing list archives
Re: The home user problem returns
From: "Marcus J. Ranum" <mjr () ranum com>
Date: Tue, 13 Sep 2005 18:35:59 -0400
Mason Schmitt wrote:
I also don't think the user education problem is an epidemiological one either. To suggest that ignorance to a growing and changing computer security environment is somehow like a rapidly spreading pathogen is a little bit of a stretch.
I'm sorry, I really screwed up my explanation. Can I have another throw? Don't look at the problem from a "successfulness of prevention" standpoint, look at it from a "propagation of failure" standpoint. With something like AIDS, if you can make a significant percentage of the population aware of the problem, you've made it possible for the "aware people" to enclave, meet, and breed, and isolate the "unaware people" or those who have decided to argue in favor of natural selection by taking risks anyhow. So, in an area where you can educate 50% of the population about something like AIDS you've got a fair chance that the 50% you educated will survive. Now, look at Internet security. If I educate 50% of the population about the need to worry about security, I still lose - horribly - because the other 50% of my population fails and their machines are used to attack the educated 50%!! That wouldn't be a problem except for transitive trust(*) - a big chunk, I have no idea how big, of the educated 50% would find themselves vulnerable to attacks from trusted parties and would be vulnerable, and then you'd very quickly be left with the only survivors being those who didn't trust anyone. Another factor is that the environment would become poisoned after a certain point. I am on a satellite internet hookup (pity me!) and when there's a new worm out there doing a lot of scanning I can pretty much rest assured that I will have no internet access for 2 or 3 days. I call this "adaptive packet clogging intrusion prevention" -- it's effective but annoying. Wait 'till Gartner hears about it. So, that's a lot of why I am so hard on the topic of user education. Unlike other problem areas where education is effective, user education in computer security is of questionable value because the propagation effect of one user making a mistake can overwhelm the results of your educational programme instantly. We've ALL heard the stories of the dweeboid executive who brings his laptop into the corporate WAN and plugs it in and releases something awful behind the firewall, right? Well, in 1/4 second, the entire educational programme at that organization was utterly mooted. When you're fighting AIDS or illiteracy, local failures do not propagate into massive system-wide failures. Please - don't get me wrong: education is great. But if corporations want to improve their security, it's not a particularly effective investment, in my opinion. I know of no studies that shed light one way or another on this question and I probably wouldn't trust them if I did. Why not? Because there are some organizations that have chosen education as a SUBSTITUTE for mechanism. My guess is that they'd skew the metrics very sharply in the direction I'm predicting, and that wouldn't be pretty. [Below I will use the term "Mechanism" here to abstractly mean "technological enforcement system" - firewalls, AV, attachment stripping, IPS, APCIP, whatever. Loosely, you can think of it as "something that protects the user whether they want it to or not"] I guess there's a matrix we'd want to explore: #1 - No Security Mechanism, No Security Education #2 - No Security Mechanism, Security Education for users #3 - Security Mechanisms in place, No Security Education #4 - Security Mechanisms in place, Security Education for users I predict that of those 4, the security differences between #3 and #4 would be minor. I further predict that the difference between #1 and #2 would be minor. I would also predict that the largest difference would be between #4 and #1. Put more simply: my guess is that the measurable impact of education versus mechanism is minor. Add some cost factors in and you could make a WAG at an ROI for security education. Then you'd take your education programme out and shoot it. Those of you who are familiar with the computer security calendar I did for SourceFire back in '03 http://www.ranum.com/security/computer_security/calendar probably don't know that the original concept for December was not "Leadership" it was: User Education (Our users don't need Security Education; they need a good beating) Photograph of a hand with a riding crop, wearing a studded leather glove. Unfortunately, when I went into the studio to do the shoot, I had assembled all the props for the photography and the Southern States in Woodbine was closed on sundays and I couldn't get the riding crop prop as I had planned. So Tal's wife was kind enough to stand in at the last minute for December. mjr. (* I was going to include "ignoring transitive trust" as dumb computer security idea #7 but the article was written for executive gimboids and the idea of succinctly and clearly explaining transitive trust was daunting) _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: The home user problem returns, (continued)
- RE: The home user problem returns Marcus J. Ranum (Sep 13)
- RE: The home user problem returns Paul Melson (Sep 13)
- Re: The home user problem returns Mason Schmitt (Sep 13)
- RE: The home user problem returns Paul Melson (Sep 13)
- Re: The home user problem returns R. DuFresne (Sep 13)
- Re: The home user problem returns Mason Schmitt (Sep 13)
- RE: The home user problem returns Paul Melson (Sep 13)
- Re: The home user problem returns Paul D. Robertson (Sep 13)
- Re: The home user problem returns Marcus J. Ranum (Sep 13)
- Re: The home user problem returns Mason Schmitt (Sep 13)
- Re: The home user problem returns Marcus J. Ranum (Sep 13)
- RE: The home user problem returns Tina Bird (Sep 13)
- RE: The home user problem returns Marcus J. Ranum (Sep 13)
- Re: The home user problem returns Mason Schmitt (Sep 14)
- Re: The home user problem returns R. DuFresne (Sep 13)
- Message not available
- Message not available
- Re: The home user problem returns mason (Sep 14)
- RE: The home user problem returns Paul Melson (Sep 22)
- Re: The home user problem returns Mason Schmitt (Sep 13)
- RE: The home user problem returns Paul Melson (Sep 13)
- Re: The home user problem returns Mason Schmitt (Sep 13)
- Re: The home user problem returns Jim Seymour (Sep 13)