Secure Coding mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Protecting users from their own actions

From: "Wall, Kevin" <Kevin.Wall () qwest com>
Date: Wed, 07 Jul 2004 01:31:23 +0100
In Ken van Wyk's cited article at
        http://www.esecurityplanet.com/views/article.php/3377201
he writes...


As I said above, user awareness training is a fine practice
that shouldn't be abandoned. Users are our first defense
against security problems, and they should certainly be
educated on how to spot security problems and who to report
them to. By all means, teach your users to be wary of incoming
email attachments. Teach them to keep their anti-virus software
up to date, and their firewall software locked down tight.

Do not, however, be shocked when they make the ''wrong'' choice. 


I would contend that in any sufficiently large user population the
probability that someone will open up a suspect attachment approaches
one. In fact, I think that in a sufficiently large population, this
probability approaches 1 even if:

    1) the e-mail were from a complete stranger;
    2) the name of attached file was
       "i_am_a_worm_that_will_destroy_your_harddrive.exe".

(#2 assuming that your mail filter didn't catch something so
obvious -- and it it didn't, time to revise your filtering
rules! ;-)

So, I completely agree that we ought to EXPECT that users will do
foolish things (with malice or out of ignorance--I'm not trying to
make a moral judgement here) and thus we need to be prepared to
practice "security in depth".

However, (repeating here, from above) Ken also wrote...


... Teach them [users] to keep their anti-virus software
up to date, and their firewall software locked down tight.


I'm not sure why this is something that should be left up to users.
Isn't this something that users probably shouldn't be given a choice
on? Normally I would think that corporate security policy dictate
keeping the AV software / signatures up-to-date as well as dictating
the (personal) firewall configurations. Some centrally administered
software should do these things. I don't think that (except under very
rare circumstances), users should even be given a _choice_ about
such things. While that may seem Draconian to some, thats what works
best in practice.

Cheers,
-kevin
---
Kevin W. Wall           Qwest Information Technology, Inc.
[EMAIL PROTECTED]       Phone: 614.215.4788
"The difference between common-sense and paranoia is that common-sense
 is thinking everyone is out to get you. That's normal -- they are.
 Paranoia is thinking that they're conspiring."    -- J. Kegler
Previous By Date Next
Previous By Thread Next

Current thread: