Firewall Wizards mailing list archives
RE: The home user problem returns
From: hermit921 <hermit921 () yahoo com>
Date: Tue, 13 Sep 2005 15:45:32 -0700
I will weigh in with my experience. About 2000 users in my company, and nearly 20% of them managed to get infected during one week a year or two ago. That mess generated enough pressure that many of the desktops now have patches forced onto them, but almost none of the users learned anything. I take that back, several of them learned I am a NUT, because I said Internet Explorer isn't safe to use.
On the good side, I have a friend who is almost totally computer illiterate, but has never had a virus or spyware or any other malware. Rule #1: never double click any attachment. If you have to open it, choose a program that should open that type of file and do a File -> Open. Blindly following these rules has kept her safe for over 10 years. So I know people can learn, at least by rote, regardless of understanding. Rule #2: never use Microsoft software. This probably helps an immense amount, too.
hermit921 At 10:09 AM 9/13/2005, Scott Pinzon wrote:
I've been watching with a certain morbid fascination as Marcus has ranted in his own blog and in FW-WIZ (and who knows where else) that educating users about security is one of the "dumbest ideas" and "if it was ever going to work, it would have by now." I have tremendous respect for you, Marcus (epecially since you have, I dunno, six times the years in computer security that I do). But I can't help feeling, in my pipsqueak opinion, that on this one you're way off base. My reasoning, in short: -- Ignorance is never better than knowledge in any realm. But particular to network security, my experience is that most clueless users are also people of good will who will cease dangerous behaviors once they understand those behaviors ARE dangerous. -- Educating users is another layer in "Defense in depth." If 10 out of 100 users click evil email attachments, and through education you reduce that to 3 out of 100, you've improved that layer. -- Educating users has been proven to work at company after company. Help desk calls, viral infections, falling victim to phishing emails, and more, have been quantitatively and demonstrably reduced at companies that institute end-user security training. -- And how do you know "it" (educating end users) is not working? We have no before/after comparison on what the Internet would be like if all of us who preach security had stopped five years ago. Maybe I'm misunderstanding you, but my take-away from your blog article is that you are so discouraged by end-user ignorance, you think we should all stop wasting our breath on them. Your recommendation is that we set up an environment through quarantining and what-not where users have no opportunity to hurt themselves. In rebuttal, I cite the crusty old maxim, "Genius has its limits, but stupidity is infinite." We CAN'T (through technology) create an environment where clueless users can't hurt themselves. To keep a network secure, we need users on our side. We can get them there if we try. Am I really the only one on this list who thinks so? Or Marcus, did I misinterpret you? SCOTT PINZON, CISSP Editor-in-Chief, LiveSecurity Service WatchGuard Technologies, Inc. 505 5th Ave. South | Suite 500 | Seattle | WA | 98104 206.613.6648
[deleted]
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: The home user problem returns, (continued)
- RE: The home user problem returns Jim Seymour (Sep 13)
- Re: The home user problem returns Mason Schmitt (Sep 13)
- RE: The home user problem returns Brian Loe (Sep 13)
- Re: The home user problem returns R. DuFresne (Sep 13)
- Re: The home user problem returns Mason Schmitt (Sep 13)
- RE: The home user problem returns lordchariot (Sep 13)
- RE: The home user problem returns Behm, Jeffrey L. (Sep 13)
- Re: The home user problem returns Mason Schmitt (Sep 13)
- RE: The home user problem returns Jim Seymour (Sep 13)
- RE: The home user problem returns Scott Pinzon (Sep 13)
- RE: The home user problem returns hermit921 (Sep 13)
- RE: The home user problem returns Jim Seymour (Sep 13)
- Mitigating MS risks [Was: home users] Tina Bird (Sep 14)
- RE: The home user problem returns StefanDorn (Sep 22)
- RE: The home user problem returns hermit921 (Sep 13)
- RE: The home user problem returns Paul D. Robertson (Sep 13)
- RE: The home user problem returns Tina Bird (Sep 13)
- RE: The home user problem returns David Lang (Sep 14)
- Re: The home user problem returns Michael Cassidy (Sep 22)
- RE: The home user problem returns R. DuFresne (Sep 13)
- RE: The home user problem returns Brian Loe (Sep 22)