RE: The home user problem returns

[hermit921 <hermit921 () yahoo com>]

I will weigh in with my experience.  About 2000 users in my company, and 
nearly 20% of them managed to get infected during one week a year or two 
ago.  That mess generated enough pressure that many of the desktops now 
have patches forced onto them, but almost none of the users learned 
anything.  I take that back, several of them learned I am a NUT, because I 
said Internet Explorer isn't safe to use.

On the good side, I have a friend who is almost totally computer 
illiterate, but has never had a virus or spyware or any other malware.
Rule #1: never double click any attachment.  If you have to open it, choose 
a program that should open that type of file and do a File -> Open.
Blindly following these rules has kept her safe for over 10 years.  So I 
know people can learn, at least by rote, regardless of understanding.
Rule #2: never use Microsoft software.  This probably helps an immense 
amount, too.

hermit921


At 10:09 AM 9/13/2005, Scott Pinzon wrote:
> I've been watching with a certain morbid fascination as Marcus has
> ranted in his own blog and in FW-WIZ (and who knows where else) that
> educating users about security is one of the "dumbest ideas" and "if it
> was ever going to work, it would have by now." I have tremendous respect
> for you, Marcus (epecially since you have, I dunno, six times the years
> in computer security that I do). But I can't help feeling, in my
> pipsqueak opinion, that on this one you're way off base.
>
>  My reasoning, in short:
>
> -- Ignorance is never better than knowledge in any realm. But particular
> to network security, my experience is that most clueless users are also
> people of good will who will cease dangerous behaviors once they
> understand those behaviors ARE dangerous.
>
> -- Educating users is another layer in "Defense in depth." If 10 out of
> 100 users click evil email attachments, and through education you reduce
> that to 3 out of 100, you've improved that layer.
>
> -- Educating users has been proven to work at company after company.
> Help desk calls, viral infections, falling victim to phishing emails,
> and more, have been quantitatively and demonstrably reduced at companies
> that institute end-user security training.
>
> -- And how do you know "it" (educating end users) is not working? We
> have no before/after comparison on what the Internet would be like if
> all of us who preach security had stopped five years ago.
>
> Maybe I'm misunderstanding you, but my take-away from your blog article
> is that you are so discouraged by end-user ignorance, you think we
> should all stop wasting our breath on them. Your recommendation is that
> we set up an environment through quarantining and what-not where users
> have no opportunity to hurt themselves. In rebuttal, I cite the crusty
> old maxim, "Genius has its limits, but stupidity is infinite." We CAN'T
> (through technology) create an environment where clueless users can't
> hurt themselves. To keep a network secure, we need users on our side. We
> can get them there if we try.
>
> Am I really the only one on this list who thinks so? Or Marcus, did I
> misinterpret you?
>
>
> SCOTT PINZON, CISSP
> Editor-in-Chief, LiveSecurity Service
> WatchGuard Technologies, Inc.
> 505 5th Ave. South | Suite 500 | Seattle | WA | 98104
> 206.613.6648

[deleted] 


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards