From: Erin Carroll (amoeba@amoebazone.com)
Date: Mon Jan 09 2006 - 14:13:47 EST
Pen-test list members,
This topic has strayed pretty far and I'll be rejecting further posts to
the pen-test list on this tangent. If you want to continue following this
discussion please note that at some point this was cross-posted to
focus-ms@securityfocus.com and you can continue it there.
Erin Carroll
Moderator
SecurityFocus pen-test list
"Do Not Taunt Happy-Fun Ball"
On Mon, 9 Jan 2006, Derick Anderson wrote:
>
>
> > -----Original Message-----
> > From: Brady McClenon [mailto:BMcClenon@uamail.albany.edu]
> > Sent: Monday, January 09, 2006 12:13 PM
> > To: Derick Anderson; pen-test@securityfocus.com;
> > focus-ms@securityfocus.com
> > Subject: RE: New article on SecurityFocus
> >
> > "If users could be educated it would have already been done by now"
> >
> > This is the attitude that is rampant in the technology sector
> > that leads
> > to the ignorant technology user. Those responsible for the education
> > that believe users can not be educated create a self-fulfilling
> > prophecy. I've heard so many time that "you can't expect users to
> > understand that" as an excuse to not even try, that I'd like
> > to scream.
>
> I think you're taking what I'm saying a little too far. I think there
> are a couple reasons beyond industry apathy which contributes to
> uneducated users:
>
> 1. It is too expensive. I think it would be great if all the users where
> I work had even a quarter of my rather limited security knowledge and
> experience, but try getting your C-level execs to take time out of their
> schedule to learn about phishing scams and WMF exploits. And I've got a
> full enough load without adding the preparation (dumbing down material,
> making it pertinent to other viewpoints, having visual aids, etc.) and
> delivery of user education to it.
>
> 2. Many users aren't interested in being educated. Most don't see how
> security relates to their job - about the only time they run into it is
> when they get denied access to something that they need, and it's true
> in IT just as much as anywhere else. When I raised the minimum password
> length from 7 characters to 8, I gave a short presentation on pass
> phrases (and how they are easier to remember) followed by an email with
> details on how 8-character+ passphrases are far more secure than 7
> character passwords. One user responded that it was "overkill." Based on
> responses I've had since then I'd say less than 25% of our users
> actually started using pass phrases.
>
> 3. Many users can't understand security. Some people simply lack the
> capacity to understand how computers and networking work at all. Some
> people just don't have the paranoia it takes to be safe on the Internet.
> I had one user insist she'd gotten an email from the CIA about illegal
> websites she'd visited. I explained that it was spam, but she still
> wanted to print it out so I could read it. I had to say "Just delete it,
> that's spam" three times before she finally agreed to delete it.
>
> 4. Some users refuse to follow the rules. Just as there are plenty of
> bad drivers who passed driver's ed, there are users who willfully
> disregard policies or attempt to circumvent software designed to protect
> them. Since it usually only takes one internal user to infect the
> network, this point alone seriously dings any benefit to be had from
> user education. You can't depend on it as a defined layer of security
> because you don't know where the holes are.
>
>
> In my opinion a cost/benefit analysis of user education just doesn't
> fly. It's too expensive for the minimal return you'll get. It's not as
> though you can say, "We've spent $xxx training our users - that means we
> don't need AV anymore." I'd rather invest time and money adding layers
> of defense which aren't contingent on user participation.
>
>
> > I've seen secretaries dependent on their typewriters and terrified of
> > computers learn to the point were they are now dependant on their pc,
> > and can't function without. Some became so proficient on office
> > applications, that I later used them as a resource on other users
> > problems. How often do a mail merge... Wait... Have I ever? Sure if
> > you teach 10 people at best probably 8-9 will get it, but
> > that's better
> > then having not tried at all.
> >
> > Very few people are willing to try to educate their users.
> > This is why
> > is has been done by now.
>
>
> Expecting user sophistication to grow with malware sophistication as an
> answer to poorly designed software and systems just doesn't make sense.
> You can ingrain a few basics into peoples' heads (don't open attachments
> from people you don't know, don't follow links in emails from people you
> don't know, don't surf to questionable sites) but after that is where
> security professionals are supposed to take over.
>
> Derick Anderson
>
> ------------------------------------------------------------------------------
> Audit your website security with Acunetix Web Vulnerability Scanner:
>
> Hackers are concentrating their efforts on attacking applications on your
> website. Up to 75% of cyber attacks are launched on shopping carts, forms,
> login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
> futile against web application hacking. Check your website for vulnerabilities
> to SQL injection, Cross site scripting and other web attacks before hackers do!
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
> -------------------------------------------------------------------------------
>
>
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:20 EDT