RE: [inbox] Re: CyberInsecurity: The cost of Monopoly

["Schmehl, Paul L" <pauls () utdallas edu>]

> -----Original Message-----
> From: Chris Cozad [mailto:ccozad () sci-aust com au] 
> Sent: Tuesday, September 30, 2003 1:10 AM
> To: Schmehl, Paul L
> Cc: 'full-disclosure () lists netsys com'
> Subject: RE: [inbox] Re: [Full-disclosure] CyberInsecurity: The cost of
Monopoly
> Do you really think you could convince the average user that they 
> need to know this much about security? I mean, most users see their 
> computers (and the network, servers, phones, faxes, etc...) as a 
> tool to do business with. Nothing else. The computers are there to 
> do a job, or help get a job done, and nothing else. It is not so 
> much that they don't know, it is that they don't need to know.

Vehicles are tools to get a job done - transporting you from one
location to another.  Do you really think people who use vehicles as
transportation will sit through drivers training?  Same argument.  If we
are ever going to get control of this beast we call the network, we
*must* enlist the aid of the users.  You only need look at the recent
explosion of new ways for them to bring your network down to realize
that you *must* get them to cooperate.

Is it too much to ask that users be asked to understand the basics of
good passwords?  Why you don't leave your password on a sticky note on
your screen?  Why you lock your workstation when you get up to get a cup
of coffee?  Why it's a bad idea to open attachments?  What kind of evil
is out there on the Internet?

I'll tell you this.  If you *don't* train your users, you're done for.
Because *now* their home computers are a threat to your network.  They
extend the boundaries and introduce all sorts of new variables.  And you
can't possibly control them all with technology.  Technology is great,
and it can do a lot of things, but it will not solve the "human
problem", now or ever.

> To actually get users to attend this level of training would be 
> fantastic. Our jobs would be so much easier. But it just aint gunna 
> happen in the real world. It is definitely up to us, as security 
> professionals, to effectively "idiot proof" our systems, so that 
users only need to know some basic security rules.

We are doing it at UTD right now.  We conduct security awareness
sessions with students, staff and faculty (not all at the same time),
and we provide handouts with a list of dos and donts and links to
resources.

If you don't try, you'll never know.  Besides, if you haven't already
figured it out, you *can't* idiot-proof your environment.  Users have
already proven that, haven't they?

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/ 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html