RE: User Education (was: New article on SecurityFocus)

From: Derick Anderson (danderson@vikus.com)
Date: Mon Jan 09 2006 - 13:41:20 EST


 

> -----Original Message-----
> From: Brady McClenon [mailto:BMcClenon@uamail.albany.edu]
> Sent: Monday, January 09, 2006 12:13 PM
> To: Derick Anderson; pen-test@securityfocus.com;
> focus-ms@securityfocus.com
> Subject: RE: New article on SecurityFocus
>
> "If users could be educated it would have already been done by now"
>
> This is the attitude that is rampant in the technology sector
> that leads
> to the ignorant technology user. Those responsible for the education
> that believe users can not be educated create a self-fulfilling
> prophecy. I've heard so many time that "you can't expect users to
> understand that" as an excuse to not even try, that I'd like
> to scream.

I think you're taking what I'm saying a little too far. I think there
are a couple reasons beyond industry apathy which contributes to
uneducated users:

1. It is too expensive. I think it would be great if all the users where
I work had even a quarter of my rather limited security knowledge and
experience, but try getting your C-level execs to take time out of their
schedule to learn about phishing scams and WMF exploits. And I've got a
full enough load without adding the preparation (dumbing down material,
making it pertinent to other viewpoints, having visual aids, etc.) and
delivery of user education to it.

2. Many users aren't interested in being educated. Most don't see how
security relates to their job - about the only time they run into it is
when they get denied access to something that they need, and it's true
in IT just as much as anywhere else. When I raised the minimum password
length from 7 characters to 8, I gave a short presentation on pass
phrases (and how they are easier to remember) followed by an email with
details on how 8-character+ passphrases are far more secure than 7
character passwords. One user responded that it was "overkill." Based on
responses I've had since then I'd say less than 25% of our users
actually started using pass phrases.

3. Many users can't understand security. Some people simply lack the
capacity to understand how computers and networking work at all. Some
people just don't have the paranoia it takes to be safe on the Internet.
I had one user insist she'd gotten an email from the CIA about illegal
websites she'd visited. I explained that it was spam, but she still
wanted to print it out so I could read it. I had to say "Just delete it,
that's spam" three times before she finally agreed to delete it.

4. Some users refuse to follow the rules. Just as there are plenty of
bad drivers who passed driver's ed, there are users who willfully
disregard policies or attempt to circumvent software designed to protect
them. Since it usually only takes one internal user to infect the
network, this point alone seriously dings any benefit to be had from
user education. You can't depend on it as a defined layer of security
because you don't know where the holes are.

In my opinion a cost/benefit analysis of user education just doesn't
fly. It's too expensive for the minimal return you'll get. It's not as
though you can say, "We've spent $xxx training our users - that means we
don't need AV anymore." I'd rather invest time and money adding layers
of defense which aren't contingent on user participation.

> I've seen secretaries dependent on their typewriters and terrified of
> computers learn to the point were they are now dependant on their pc,
> and can't function without. Some became so proficient on office
> applications, that I later used them as a resource on other users
> problems. How often do a mail merge... Wait... Have I ever? Sure if
> you teach 10 people at best probably 8-9 will get it, but
> that's better
> then having not tried at all.
>
> Very few people are willing to try to educate their users.
> This is why
> is has been done by now.

Expecting user sophistication to grow with malware sophistication as an
answer to poorly designed software and systems just doesn't make sense.
You can ingrain a few basics into peoples' heads (don't open attachments
from people you don't know, don't follow links in emails from people you
don't know, don't surf to questionable sites) but after that is where
security professionals are supposed to take over.

Derick Anderson

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:20 EDT