Penetration Testing mailing list archives
RE: User Education (was: New article on SecurityFocus)
From: Erin Carroll <amoeba () amoebazone com>
Date: Mon, 9 Jan 2006 14:13:47 -0500 (EST)
Pen-test list members, This topic has strayed pretty far and I'll be rejecting further posts to the pen-test list on this tangent. If you want to continue following this discussion please note that at some point this was cross-posted to focus-ms () securityfocus com and you can continue it there. Erin Carroll Moderator SecurityFocus pen-test list "Do Not Taunt Happy-Fun Ball" On Mon, 9 Jan 2006, Derick Anderson wrote:
-----Original Message----- From: Brady McClenon [mailto:BMcClenon () uamail albany edu] Sent: Monday, January 09, 2006 12:13 PM To: Derick Anderson; pen-test () securityfocus com; focus-ms () securityfocus com Subject: RE: New article on SecurityFocus "If users could be educated it would have already been done by now" This is the attitude that is rampant in the technology sector that leads to the ignorant technology user. Those responsible for the education that believe users can not be educated create a self-fulfilling prophecy. I've heard so many time that "you can't expect users to understand that" as an excuse to not even try, that I'd like to scream.I think you're taking what I'm saying a little too far. I think there are a couple reasons beyond industry apathy which contributes to uneducated users: 1. It is too expensive. I think it would be great if all the users where I work had even a quarter of my rather limited security knowledge and experience, but try getting your C-level execs to take time out of their schedule to learn about phishing scams and WMF exploits. And I've got a full enough load without adding the preparation (dumbing down material, making it pertinent to other viewpoints, having visual aids, etc.) and delivery of user education to it. 2. Many users aren't interested in being educated. Most don't see how security relates to their job - about the only time they run into it is when they get denied access to something that they need, and it's true in IT just as much as anywhere else. When I raised the minimum password length from 7 characters to 8, I gave a short presentation on pass phrases (and how they are easier to remember) followed by an email with details on how 8-character+ passphrases are far more secure than 7 character passwords. One user responded that it was "overkill." Based on responses I've had since then I'd say less than 25% of our users actually started using pass phrases. 3. Many users can't understand security. Some people simply lack the capacity to understand how computers and networking work at all. Some people just don't have the paranoia it takes to be safe on the Internet. I had one user insist she'd gotten an email from the CIA about illegal websites she'd visited. I explained that it was spam, but she still wanted to print it out so I could read it. I had to say "Just delete it, that's spam" three times before she finally agreed to delete it. 4. Some users refuse to follow the rules. Just as there are plenty of bad drivers who passed driver's ed, there are users who willfully disregard policies or attempt to circumvent software designed to protect them. Since it usually only takes one internal user to infect the network, this point alone seriously dings any benefit to be had from user education. You can't depend on it as a defined layer of security because you don't know where the holes are. In my opinion a cost/benefit analysis of user education just doesn't fly. It's too expensive for the minimal return you'll get. It's not as though you can say, "We've spent $xxx training our users - that means we don't need AV anymore." I'd rather invest time and money adding layers of defense which aren't contingent on user participation.I've seen secretaries dependent on their typewriters and terrified of computers learn to the point were they are now dependant on their pc, and can't function without. Some became so proficient on office applications, that I later used them as a resource on other users problems. How often do a mail merge... Wait... Have I ever? Sure if you teach 10 people at best probably 8-9 will get it, but that's better then having not tried at all. Very few people are willing to try to educate their users. This is why is has been done by now.Expecting user sophistication to grow with malware sophistication as an answer to poorly designed software and systems just doesn't make sense. You can ingrain a few basics into peoples' heads (don't open attachments from people you don't know, don't follow links in emails from people you don't know, don't surf to questionable sites) but after that is where security professionals are supposed to take over. Derick Anderson ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- RE: User Education (was: New article on SecurityFocus) Derick Anderson (Jan 09)
- RE: User Education (was: New article on SecurityFocus) Erin Carroll (Jan 09)