PaulDotCom mailing list archives
No subject
From: bogus () does not exist com ()
Date: Tue, 04 Aug 2009 23:25:38 -0000
ded in each economic calculation. In the example of lottery tickets, it's the fantasy of extreme wealth. Depending on the culture and the personality, humiliation avoidance carries a high 'X' factor premiu= m. Regulatory compliance or contract requirements can be a huge 'X' factor. Fear can be a huge 'X' factor. Each person has their own &#= 39;X' factor of concerns. Our job is to identify those concerns, address them and make appropriate recommendations.<br> <br> An interesting example is the money and effort spent on preventing terrorism on airplanes. From a strictly economic perspective, it doesn't make sense to put our current safe guards in place. However, few people would recommend removing the security controls in place when they are getting ready to board a plane. That's an 'X' factor.<= br> <br> I question the probability of an end user having a problem being slight. When you look at the rapid spread of malware, the growth of botnets, identity theft and banking trojans, there is a lot going on. Most end users do not realize the threats that are occurring, or the actual frequency of the attacks. These are the people we need to educate.<br> <br> Can we reach everyone? No. There are *always* irrational people. In my working life, I've encountered several people that simply cannot be reasoned with for various reasons. When they are 'worker bees' they= can be dealt with by management. When they are management, nature seems to take care of things in due time (and you don't want to be around when i= t happens).<br><br>Bart<br><br><div class=3D"gmail_quote">On Mon, Feb 15, 2= 010 at 12:43 PM, Jack Daniel <span dir=3D"ltr"><<a href=3D"mailto:jackad= aniel at gmail.com">jackadaniel at gmail.com</a>></span> wrote:<br> <blockquote class=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204, = 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">But that's th= e point, the actual risk to the end user is negligible if<br> you do the math- the costs of being hit are often low, but even if<br> they were high, the chance of compromise is so low that the<br> distributed risk risk is still negligible. =A0If the aggregated risk is<br> low per user, then it is economically irrational to take extra<br> measures to protect yourself.<br> <br> And- it is not their fault. =A0They are expected to use fundamentally<br> insecure (and largely unsecurable, practically speaking) systems, and<br> "being secure" is not their job, their job is to<br> produce/sell/whatever.<br> <font color=3D"#888888"><br> Jack<br> </font><div><div></div><div class=3D"h5"><br> <br> <br> On Mon, Feb 15, 2010 at 12:49 PM, =A0<<a href=3D"mailto:d4ncingd4n at gmail= .com">d4ncingd4n at gmail.com</a>> wrote:<br> > I think it also helps to explain the personal risk to them. If their c= omputer is used to host kiddie porn they would have to deal with the *embar= rassment* and the risk of being wrongly convicted could destroy their lives= personally and professionally. Identity theft can be inconvenient even if = you have protection. If your company has their ACH account hit for hundreds= of thousands of dollars due to THEIR pc having Zeus or Clampi and the comp= any folds, you will lose your job.<br> ><br> > FUD? I don't think so. You just have to find a way to make it real= to them instead of something you see in the movies or the self-important d= elusions of paranoid nerds. (which is how we are sometimes unfortunately se= en)<br> ><br> > Bart<br> > Sent from my Verizon Wireless BlackBerry<br> ><br> > -----Original Message-----<br> > From: Jack Daniel <<a href=3D"mailto:jackadaniel at gmail.com">jackada= niel at gmail.com</a>><br> > Date: Mon, 15 Feb 2010 12:22:48<br> > To: PaulDotCom Security Weekly Mailing List<<a href=3D"mailto:pauld= otcom at mail.pauldotcom.com">pauldotcom at mail.pauldotcom.com</a>><br> > Subject: Re: [Pauldotcom] End user education<br> ><br> > I need to craft a longer answer, but I will say the results of user<br=
> education programs are very dependent on the end user being taught. = =A0I<br> > have had much better luck with some groups than others. =A0The car<br> > business. that is definitely a "teaching pigs to sing" exper= ience.<br> > Thanks for the insights Raffi and Jody.<br> ><br> > I think we'll be hearing more about this topic ;)<br> ><br> > Jack<br> ><br> ><br> > On Sun, Feb 14, 2010 at 9:17 PM, Raffi Jamgotchian<br> > <<a href=3D"mailto:raffi at flossyourmind.com">raffi at flossyourmind.com= </a>> wrote:<br> >> Jack,<br> >><br> >> I used to feel the same way that you did only a few years ago. =A0= I think it<br> >> was particularly because our security program from the larger corp= oration I<br> >> came from was ineffective. The problem with giving up on the end-u= ser is<br> >> that you end up with spending too much time and money on tools. I = know those<br> >> things are not necessarily items that are exclusive of each other = but hear<br> >> me out.<br> >><br> >> When I was asked to be CTO of a small investment firm startup (aft= er I left<br> >> larger investment firm noted above), I agreed to every security st= artup that<br> >> I met that I would put their product into my environment at no or = low cost<br> >> in return for feedback to them and them allowing to use our compan= y name in<br> >> their marketing. =A0Besides finding myself becoming somewhat of a = tech whore<br> >> (sorry if that offends), I found that I was spending too much time= <br> >> overcomplicating the environment which led to other issues. Both o= f those<br> >> left a bad taste in my mouth so I made a conscious switch.<br> >><br> >> Since then, I've moved into a consulting role with the same fi= rm as well as<br> >> a few other small investment and non-investment firms. =A0I've= found that by<br> >> spending one on one time about the consequences in addition to pra= gmatic<br> >> controls is the best defense we have today. Small business typical= ly don't<br> >> have the resources to spend oodles of money on tools and people so= they have<br> >> to do, as Mick said at ShmooCon, "secure enough."<br> >><br> >> The church I go to has a prototypical very conservative Armenian p= riest.<br> >> His sermons are super long and are said in two languages (Armenian= and<br> >> English). =A0When he wants to teach or preach to a point, he says = the same<br> >> thing three different ways, and then again in both languages. Now = someone<br> >> that understands both languages got the same lesson 6 times. =A0Gu= ess what, it<br> >> eventually sinks in. =A0Although we like to treat employees like a= dults, and<br> >> we expect them to behave that way, the truth is, that most adults = (like<br> >> Kindergarteners) need repetition in different ways to properly lea= rn. =A0As<br> >> security practitioners (and I'll speak to the small business m= arket since<br> >> that's what I focus on now a days) we need to be equal parts t= echnologists<br> >> to minimize the breakage when things happen but also teach the bus= iness<br> >> consequences of the actions people make. =A0If you work the conseq= uences into<br> >> the conversations in different ways repetitiously, it does eventua= lly sink<br> >> in, but it doesn't happen overnight.<br> >><br> >> Thanks for sending those links over. I'm always interested in = seeing what<br> >> others feel about this since my position is an evolving one.<br> >><br> >> -----Original Message-----<br> >> From: <a href=3D"mailto:pauldotcom-bounces at mail.pauldotcom.com">pa= uldotcom-bounces at mail.pauldotcom.com</a><br> >> [mailto:<a href=3D"mailto:pauldotcom-bounces at mail.pauldotcom.com">= pauldotcom-bounces at mail.pauldotcom.com</a>] On Behalf Of Jack Daniel<br> >> Sent: Sunday, February 14, 2010 2:17 PM<br> >> To: PaulDotCom Security Weekly Mailing List<br> >> Subject: [Pauldotcom] End user education<br> >><br> >> You've probably all seen Larry's fudsec post at<br> >> <a href=3D"http://fudsec.com/casual-hex-and-the-failure-of-securit= y-awaren" target=3D"_blank">http://fudsec.com/casual-hex-and-the-failure-of= -security-awaren</a> (You<br> >> haven't? Go now, and make sure you read the comments). =A0I th= ink it is a good<br> >> starting point for a conversation we need to have in InfoSec.<br> >><br> >> I have largely lined up with the dinosaurs like Ranum in my skepti= cism of<br> >> the value of user education, but have tried anyway. =A0I almost al= ways come<br> >> back to Robert Heinlein's quote: "Never try to teach a pi= g to sing; it<br> >> wastes your time and it annoys the pig." =A0We do get some su= ccesses, but at<br> >> what cost?<br> >><br> >> A more informed look at the education we give end users, and the r= easons<br> >> that they should reject the advice, is found in a paper Cormac Her= ley<br> >> delivered last year. =A0I read it when it came out, and keep going= back to it.<br> >> It isn't very long, but it isn't really a light read, eith= er. =A0PDF is at<br> >> <a href=3D"http://research.microsoft.com/users/cormac/papers/2009/= SoLongAndNoThanks.pdf" target=3D"_blank">http://research.microsoft.com/user= s/cormac/papers/2009/SoLongAndNoThanks.pdf</a><br> >><br> >> You may notice that this is focused on the home user, not the corp= orate end<br> >> user- that is on purpose, there just isn't enough data to extr= apolate<br> >> conclusions with the level of detail he wanted. =A0Cormac has obse= rved that<br> >> end users in business are rejecting the advice anyway. =A0I do thi= nk the<br> >> numbers have to shift significantly when we factor in the costs of= breaches<br> >> to organizations and the fact that many fraud protections offered = to<br> >> individuals do not apply to businesses. =A0My gut feeling is that = rejecting a<br> >> lot of "security advice" still makes economic sense, at = least from the<br> >> corporate end-user perspective, but the margins are slimmer.<br> >><br> >> There is also the issue of the true cost of breaches; if I have a = fraudulent<br> >> charge on a card I am not out any money *directly*, but we're = all paying<br> >> double-digit interest rates on credit cards when the prime is belo= w a<br> >> percent, partly to cover fraud expenses- and the price of goods in= cludes an<br> >> added margin to cover "shrinkage" (theft, loss, fraud, e= tc.). =A0We are all<br> >> paying for the fraud, but the true costs are so obfuscated that we= don't<br> >> know what the real numbers are.<br> >><br> >> I'm not sure where we go from here, but I do believe we need t= o be able to<br> >> honestly answer the question "is it worth it" before we = hand out security<br> >> advice and education, especially the same stuff we've been say= ing for years.<br> >><br> >> I think it makes sense to use this information to justify some loc= kdown of<br> >> corporate assets; if the users can't be relied on to protect t= he assets (and<br> >> arguably shouldn't have to), then we need to secure them befor= e letting<br> >> people loose to do their jobs.<br> >><br> >> I have exchanged a few emails with Cormac, he has received a prett= y good<br> >> response to the paper and he is certainly a sharp guy. =A0Hey, the= re's a guest<br> >> idea for the podcast...<br> >> (Paul's idol, Steve Gibson, even covered this paper, but of co= urse, didn't<br> >> speak to Cormac about it).<br> >><br> >> Jack<br> >><br> >><br> >> --<br> >>______________________________________<br> >> Jack Daniel, Reluctant CISSP<br> >> <a href=3D"http://twitter.com/jack_daniel"; target=3D"_blank">http:= //twitter.com/jack_daniel</a><br> >> <a href=3D"http://www.linkedin.com/in/jackadaniel"; target=3D"_blan= k">http://www.linkedin.com/in/jackadaniel</a><br> >> <a href=3D"http://blog.uncommonsensesecurity.com"; target=3D"_blank= ">http://blog.uncommonsensesecurity.com</a><br> >>_______________________________________________<br> >> Pauldotcom mailing list<br> >> <a href=3D"mailto:Pauldotcom at mail.pauldotcom.com">Pauldotcom at mail.= pauldotcom.com</a><br> >> <a href=3D"http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pau= ldotcom" target=3D"_blank">http://mail.pauldotcom.com/cgi-bin/mailman/listi= nfo/pauldotcom</a><br> >> Main Web Site: <a href=3D"http://pauldotcom.com"; target=3D"_blank"=
http://pauldotcom.com</a><br>
>><br> >>_______________________________________________<br> >> Pauldotcom mailing list<br> >> <a href=3D"mailto:Pauldotcom at mail.pauldotcom.com">Pauldotcom at mail.= pauldotcom.com</a><br> >> <a href=3D"http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pau= ldotcom" target=3D"_blank">http://mail.pauldotcom.com/cgi-bin/mailman/listi= nfo/pauldotcom</a><br> >> Main Web Site: <a href=3D"http://pauldotcom.com"; target=3D"_blank"=
http://pauldotcom.com</a><br>
>><br> ><br> ><br> ><br> > --<br> > ______________________________________<br> > Jack Daniel, Reluctant CISSP<br> > <a href=3D"http://twitter.com/jack_daniel"; target=3D"_blank">http://tw= itter.com/jack_daniel</a><br> > <a href=3D"http://www.linkedin.com/in/jackadaniel"; target=3D"_blank">h= ttp://www.linkedin.com/in/jackadaniel</a><br> > <a href=3D"http://blog.uncommonsensesecurity.com"; target=3D"_blank">ht= tp://blog.uncommonsensesecurity.com</a><br> > _______________________________________________<br> > Pauldotcom mailing list<br> > <a href=3D"mailto:Pauldotcom at mail.pauldotcom.com">Pauldotcom at mail.paul= dotcom.com</a><br> > <a href=3D"http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldot= com" target=3D"_blank">http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/= pauldotcom</a><br> > Main Web Site: <a href=3D"http://pauldotcom.com"; target=3D"_blank">htt= p://pauldotcom.com</a><br> > _______________________________________________<br> > Pauldotcom mailing list<br> > <a href=3D"mailto:Pauldotcom at mail.pauldotcom.com">Pauldotcom at mail.paul= dotcom.com</a><br> > <a href=3D"http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldot= com" target=3D"_blank">http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/= pauldotcom</a><br> > Main Web Site: <a href=3D"http://pauldotcom.com"; target=3D"_blank">htt= p://pauldotcom.com</a><br> ><br> <br> <br> <br> --<br> ______________________________________<br> Jack Daniel, Reluctant CISSP<br> <a href=3D"http://twitter.com/jack_daniel"; target=3D"_blank">http://twitter= .com/jack_daniel</a><br> <a href=3D"http://www.linkedin.com/in/jackadaniel"; target=3D"_blank">http:/= /www.linkedin.com/in/jackadaniel</a><br> <a href=3D"http://blog.uncommonsensesecurity.com"; target=3D"_blank">http://= blog.uncommonsensesecurity.com</a><br> </div></div></blockquote></div><br> --0016e6d7e06c30ae3b047fab7c0e--
Current thread:
- No subject, (continued)
- No subject (Aug 04)
- No subject (Aug 04)
- No subject (Aug 04)
- No subject (Aug 04)
- No subject (Aug 04)
- No subject (Aug 04)
- No subject (Aug 04)
- No subject (Aug 04)
- No subject (Aug 04)
- No subject (Aug 04)
- No subject (Aug 04)
- No subject (Aug 04)
- No subject (Aug 04)
- No subject (Aug 04)
- No subject (Aug 04)
- No subject (Aug 04)
- No subject (Aug 04)
- No subject (Aug 04)
- No subject (Aug 04)
- No subject (Aug 04)
- No subject (Aug 04)
(Thread continues...)