RE: [inbox] Re: CyberInsecurity: The cost of Mo nopoly

["Michael Smith" <mike () sane com>]

> Oh come on.  We don't expect our mechanics to brake and steer for us,
> fer cryin' out loud.  We're not talking about *maintaining the computer.
> We're talking about *operating* it.  Things like passwords, awareness of
> attachment dangers, the need for routine patching (think oil changes)
> and up to date antivirus software (think gas).  The car mechanic takes
> care of repairs and maintenance, yes, but the driver is the one who has
> to bring the car in.  That means they have to be *aware* that
> maintenance is required.  They have to realize that if they don't change
> the oil every 3000 miles they will have long term problems.
>
> The same thing is true in computing.  Users must realize that
> maintenance is required, and it's their responsibility to "bring it in"
> for maintenance.  They can't just blithely assume that IT is doing it
> for them.  They need to *know* if it's overdue (think missing patches)
> or requires an overhaul (think new OS.)
>
> We don't let people drive cars without some proof that they know how.
> We don't even let them neglect the maintenance any more (think emissions
> inspections.)  Why should we let people use computers with no training,
> no awareness of the potential trouble spots, no idea what they're
> getting in to?  That's insanity.  And that's why we have hundreds of
> thousands of infections with every new iteration of a worm or virus.
> And IT people contribute to the problem by throwing up their hands and
> saying that the users don't want to learn or can't be taught.  They
> *must* be taught.  There is no other way to solve the problem.

Paul, you have a *slight* point with the fact that users need to be aware of
security issues, but let's realize that no matter how easy UI's become,
using/operating/maintaining a computer is NEVER going to be *nearly* as easy
as driving a car.  As far as not letting people to drive a car without proof
that they know how, my eyes tell me differently every day.  Most people
can't drive worth a damn.

I certainly agree that computer users need to be aware, but as far as
depending on that as the bottom line of defense, it just can't be.  Your
network is as secure as it's LEAST secure point.  All it takes is 1 lazy
user to not maintain their machine and that's it.  Obviously trained
knowledgeable users should be everyone's desire, I just don't think you can
rely on it for your network security.  For my money, I'll hope all my users
understand and follow the training I've given them.... but I won't rely on
it.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html