Full Disclosure mailing list archives
RE: [inbox] Re: CyberInsecurity: The cost of Monopoly
From: "Schmehl, Paul L" <pauls () utdallas edu>
Date: Tue, 30 Sep 2003 09:24:13 -0500
-----Original Message----- From: Chris Cozad [mailto:ccozad () sci-aust com au] Sent: Tuesday, September 30, 2003 1:10 AM To: Schmehl, Paul L Cc: 'full-disclosure () lists netsys com' Subject: RE: [inbox] Re: [Full-disclosure] CyberInsecurity: The cost of
Monopoly
Do you really think you could convince the average user that they need to know this much about security? I mean, most users see their computers (and the network, servers, phones, faxes, etc...) as a tool to do business with. Nothing else. The computers are there to do a job, or help get a job done, and nothing else. It is not so much that they don't know, it is that they don't need to know.
Vehicles are tools to get a job done - transporting you from one location to another. Do you really think people who use vehicles as transportation will sit through drivers training? Same argument. If we are ever going to get control of this beast we call the network, we *must* enlist the aid of the users. You only need look at the recent explosion of new ways for them to bring your network down to realize that you *must* get them to cooperate. Is it too much to ask that users be asked to understand the basics of good passwords? Why you don't leave your password on a sticky note on your screen? Why you lock your workstation when you get up to get a cup of coffee? Why it's a bad idea to open attachments? What kind of evil is out there on the Internet? I'll tell you this. If you *don't* train your users, you're done for. Because *now* their home computers are a threat to your network. They extend the boundaries and introduce all sorts of new variables. And you can't possibly control them all with technology. Technology is great, and it can do a lot of things, but it will not solve the "human problem", now or ever.
To actually get users to attend this level of training would be fantastic. Our jobs would be so much easier. But it just aint gunna happen in the real world. It is definitely up to us, as security professionals, to effectively "idiot proof" our systems, so that
users only need to know some basic security rules. We are doing it at UTD right now. We conduct security awareness sessions with students, staff and faculty (not all at the same time), and we provide handouts with a list of dos and donts and links to resources. If you don't try, you'll never know. Besides, if you haven't already figured it out, you *can't* idiot-proof your environment. Users have already proven that, haven't they? Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: [inbox] Re: CyberInsecurity: The cost of Monopoly, (continued)
- Re: [inbox] Re: CyberInsecurity: The cost of Monopoly Frank Knobbe (Sep 29)
- Re: [inbox] Re: CyberInsecurity: The cost of Monopoly Rodrigo Barbosa (Sep 29)
- Re: [inbox] Re: CyberInsecurity: The cost of Monopoly Paul Schmehl (Sep 29)
- Re: [inbox] Re: CyberInsecurity: The cost of Monopoly Rodrigo Barbosa (Sep 30)
- RE: [inbox] Re: CyberInsecurity: The cost of Monopoly Curt Purdy (Sep 30)
- Re: [inbox] Re: CyberInsecurity: The cost of Monopoly Frank Knobbe (Sep 29)
- RE: [inbox] Re: CyberInsecurity: The cost ofMonopoly Steve Wray (Sep 30)
- RE: [inbox] Re: CyberInsecurity: The cost of Monopoly Paul Schmehl (Sep 29)
- RE: [inbox] Re: CyberInsecurity: The cost of Monopoly Ron DuFresne (Sep 30)
- RE: [inbox] Re: CyberInsecurity: The cost of Monopoly Dan Stromberg (Sep 30)