Re: [fw-wiz] The home user problem returns

From: Marcus J. Ranum (mjr_at_ranum.com)
Date: 09/14/05

  • Next message: hermit921: "RE: [fw-wiz] The home user problem returns" 
    To: Mason Schmitt <mason@schmitt.ca>
Date: Tue, 13 Sep 2005 18:35:59 -0400

    Mason Schmitt wrote:
    >I also don't think the user education problem is an epidemiological one
    >either. To suggest that ignorance to a growing and changing computer
    >security environment is somehow like a rapidly spreading pathogen is a
    >little bit of a stretch.

    I'm sorry, I really screwed up my explanation. Can I have another throw?

    Don't look at the problem from a "successfulness of prevention" standpoint,
    look at it from a "propagation of failure" standpoint. With something like AIDS,
    if you can make a significant percentage of the population aware of the problem,
    you've made it possible for the "aware people" to enclave, meet, and breed, and
    isolate the "unaware people" or those who have decided to argue in favor of
    natural selection by taking risks anyhow. So, in an area where you can educate
    50% of the population about something like AIDS you've got a fair chance that
    the 50% you educated will survive.

    Now, look at Internet security. If I educate 50% of the population about the
    need to worry about security, I still lose - horribly - because the other 50% of
    my population fails and their machines are used to attack the educated 50%!!
    That wouldn't be a problem except for transitive trust(*) - a big chunk, I have
    no idea how big, of the educated 50% would find themselves vulnerable to
    attacks from trusted parties and would be vulnerable, and then you'd very
    quickly be left with the only survivors being those who didn't trust anyone.
    Another factor is that the environment would become poisoned after a certain
    point. I am on a satellite internet hookup (pity me!) and when there's a new
    worm out there doing a lot of scanning I can pretty much rest assured that
    I will have no internet access for 2 or 3 days. I call this "adaptive packet
    clogging intrusion prevention" -- it's effective but annoying. Wait 'till Gartner
    hears about it.

    So, that's a lot of why I am so hard on the topic of user education. Unlike
    other problem areas where education is effective, user education in
    computer security is of questionable value because the propagation
    effect of one user making a mistake can overwhelm the results of your
    educational programme instantly. We've ALL heard the stories of the
    dweeboid executive who brings his laptop into the corporate WAN and
    plugs it in and releases something awful behind the firewall, right? Well,
    in 1/4 second, the entire educational programme at that organization
    was utterly mooted. When you're fighting AIDS or illiteracy, local
    failures do not propagate into massive system-wide failures.

    Please - don't get me wrong: education is great. But if corporations want
    to improve their security, it's not a particularly effective investment, in my
    opinion. I know of no studies that shed light one way or another on this
    question and I probably wouldn't trust them if I did. Why not? Because
    there are some organizations that have chosen education as a
    SUBSTITUTE for mechanism. My guess is that they'd skew the metrics
    very sharply in the direction I'm predicting, and that wouldn't be pretty.

    [Below I will use the term "Mechanism" here to abstractly mean
    "technological enforcement system" - firewalls, AV, attachment stripping,
    IPS, APCIP, whatever. Loosely, you can think of it as "something that protects
    the user whether they want it to or not"]

    I guess there's a matrix we'd want to explore:
            #1 - No Security Mechanism, No Security Education
            #2 - No Security Mechanism, Security Education for users
            #3 - Security Mechanisms in place, No Security Education
            #4 - Security Mechanisms in place, Security Education for users

    I predict that of those 4, the security differences between #3 and #4 would be
    minor. I further predict that the difference between #1 and #2 would be minor.
    I would also predict that the largest difference would be between #4 and #1.
    Put more simply: my guess is that the measurable impact of education
    versus mechanism is minor. Add some cost factors in and you could
    make a WAG at an ROI for security education. Then you'd take your
    education programme out and shoot it.

    Those of you who are familiar with the computer security calendar I did
    for SourceFire back in '03
    http://www.ranum.com/security/computer_security/calendar
    probably don't know that the original concept
    for December was not "Leadership" it was:
    User Education
    (Our users don't need Security Education; they need a good beating)
    Photograph of a hand with a riding crop, wearing a studded leather
    glove.
    Unfortunately, when I went into the studio to do the shoot, I had assembled
    all the props for the photography and the Southern States in Woodbine was
    closed on sundays and I couldn't get the riding crop prop as I had planned.
    So Tal's wife was kind enough to stand in at the last minute for December.

    mjr.
    (* I was going to include "ignoring transitive trust" as dumb computer security
    idea #7 but the article was written for executive gimboids and the idea of
    succinctly and clearly explaining transitive trust was daunting)

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: hermit921: "RE: [fw-wiz] The home user problem returns"

    Relevant Pages

    • Re: Security Education in the Workplace
      ... You said you did threat modelling. ... building better security tests and have them hooked into the master build ... used to approach the education in the workplace, ... This would mean in many cases the materials ...
      (SecProg)
    • RE: User Education (was: New article on SecurityFocus)
      ... Those responsible for the education ... > security relates to their job - about the only time they run into it is ... > Audit your website security with Acunetix Web Vulnerability Scanner: ... Cross site scripting and other web attacks before hackers do! ...
      (Pen-Test)
    • RE: Why Easy To Use Software Is Putting You At Risk
      ... So even if you do not want the piece of paper - education never hurts. ... Can Easy To Use Software Also Be Secure ... because DNS does not configure properly or security permissions are ... easier to work with then they use to is developers have created ...
      (Security-Basics)
    • RE: User Education (was: New article on SecurityFocus)
      ... Those responsible for the education ... security relates to their job - about the only time they run into it is ... Audit your website security with Acunetix Web Vulnerability Scanner: ... Cross site scripting and other web attacks before hackers do! ...
      (Pen-Test)
    • Re: [fw-wiz] The home user problem returns
      ... > With the current state of Internet software, ... > We're wasting our breath in general. ... >>User education still needs to happen ... Security" and Paul's "Something About Security". ...
      (Firewall-Wizards)