RE: New article on SecurityFocus

["Richard Zaluski" <rzaluski () ivolution ca>]

I agree with Brady, it's frustrating to hear the same thing over and over as
an excuse. Even a little education goes a long way. Yes sure you will always
have the few people who just don't get it but does that mean you abandon the
whole concept? No, not in our books.

We (iVOLUTION) are a training and services company and have done corporate
training in Security Awareness. Even some of the basic principles we teach
have an immediate impact on calls to the help desk.

I think for the case of the 'Best Buy's' out there providing training along
with a PC, it's a nice thought, but it's a cost to them unless they can
market it and make money on it its not going to happen. The margins on PC
sales are thin so any additional costs added on is a hard sell to
management.  Companies such as that are into moving inventory.

Thanks

Richard Zaluski
CISO, Security and Infrastructure Services iVOLUTION  
Technologies Incorporated
905.309.1911
866.601.4678
www.ivolution.ca
rzaluski () ivolution ca

-----Original Message-----
From: Brady McClenon [mailto:BMcClenon () uamail albany edu] 
Sent: Monday, January 09, 2006 12:13 PM
To: Derick Anderson; pen-test () securityfocus com; focus-ms () securityfocus com
Subject: RE: New article on SecurityFocus

"If users could be educated it would have already been done by now"

This is the attitude that is rampant in the technology sector that leads
to the ignorant technology user.  Those responsible for the education
that believe users can not be educated create a self-fulfilling
prophecy.  I've heard so many time that "you can't expect users to
understand that" as an excuse to not even try,  that I'd like to scream.
I've seen secretaries dependent on their typewriters and terrified of
computers learn to the point were they are now dependant on their pc,
and can't function without.  Some became so proficient on office
applications, that I later used them as a resource on other users
problems.  How often do a mail merge... Wait... Have I ever?   Sure if
you teach 10 people at best probably 8-9 will get it, but that's better
then having not tried at all.  

Very few people are willing to try to educate their users.  This is why
is has been done by now.  



> -----Original Message-----
> From: Derick Anderson [mailto:danderson () vikus com] 
> Sent: Monday, January 09, 2006 9:49 AM
> To: pen-test () securityfocus com; focus-ms () securityfocus com
> Subject: RE: New article on SecurityFocus
>
>
>
> > -----Original Message-----
> > From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
>
> [snip]
>
> > What we need here is education of why we shouldn't be blindly
> > clicking
> > like we are.  When you buy a new computer...where is the security
> > education from the Best Buy or Dell?
>
> If users could be educated it would have already been done by now. I
> can't take credit for that opinion as Marcus Ranum
> (http://www.ranum.com/security/computer_security/editorials/du
> mb/) said
> it first.
>
> I think it's funny that you bring up Dell and Best Buy when 
> Microsoft is
> the one with an EXECUTABLE image format. There have been quite a few
> image vulnerabilities in the last year or so but I don't 
> remember any of
> them resulting from the built-in ability to execute code.
>
>
> > But to say this is "It's probably bigger than for any other
> > vulnerability we've seen"
> > http://money.cnn.com/2006/01/03/technology/windows_virusthreat
> > /index.htm?cnn=yes
> >
> > Gimme a break... it didn't stop the Internet [SQL Slammer], 
> it didn't
> > shut down entire businesses [Blaster], but it did freak out
> > the Security
> > community.
>
> From what I can tell, Slammer wasn't a 0-day and neither was 
> Blaster (at
> least the first set of worms). If memory serves, Slammer was 
> the result
> of admins not applying a patch from Microsoft available months before
> the worm was released. Since then Microsoft patching has 
> vastly improved
> and admin paranoia has gotten worse.
>
> The scariest thing about WMF is that it targets user interaction using
> what used to be the most innocuous file format besides plain 
> text. Users
> are the hardest part of the network to secure - and with WMF it just
> takes one click.
>
> Derick Anderson
>
> --------------------------------------------------------------
> -------------
> --------------------------------------------------------------
> -------------

----------------------------------------------------------------------------
--
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are

futile against web application hacking. Check your website for
vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers
do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
----------------------------------------------------------------------------
---




------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------