RE: [fw-wiz] The home user problem returns

From: hermit921 (hermit921_at_yahoo.com)
Date: 09/14/05

  • Next message: Sanford Reed: "RE: [fw-wiz] The home user problem returns" 
    To: <firewall-wizards@honor.icsalabs.com>
Date: Tue, 13 Sep 2005 15:45:32 -0700

    I will weigh in with my experience. About 2000 users in my company, and
    nearly 20% of them managed to get infected during one week a year or two
    ago. That mess generated enough pressure that many of the desktops now
    have patches forced onto them, but almost none of the users learned
    anything. I take that back, several of them learned I am a NUT, because I
    said Internet Explorer isn't safe to use.

    On the good side, I have a friend who is almost totally computer
    illiterate, but has never had a virus or spyware or any other malware.
    Rule #1: never double click any attachment. If you have to open it, choose
    a program that should open that type of file and do a File -> Open.
    Blindly following these rules has kept her safe for over 10 years. So I
    know people can learn, at least by rote, regardless of understanding.
    Rule #2: never use Microsoft software. This probably helps an immense
    amount, too.

    hermit921

    At 10:09 AM 9/13/2005, Scott Pinzon wrote:
    >I've been watching with a certain morbid fascination as Marcus has
    >ranted in his own blog and in FW-WIZ (and who knows where else) that
    >educating users about security is one of the "dumbest ideas" and "if it
    >was ever going to work, it would have by now." I have tremendous respect
    >for you, Marcus (epecially since you have, I dunno, six times the years
    >in computer security that I do). But I can't help feeling, in my
    >pipsqueak opinion, that on this one you're way off base.
    >
    > My reasoning, in short:
    >
    >-- Ignorance is never better than knowledge in any realm. But particular
    >to network security, my experience is that most clueless users are also
    >people of good will who will cease dangerous behaviors once they
    >understand those behaviors ARE dangerous.
    >
    >-- Educating users is another layer in "Defense in depth." If 10 out of
    >100 users click evil email attachments, and through education you reduce
    >that to 3 out of 100, you've improved that layer.
    >
    >-- Educating users has been proven to work at company after company.
    >Help desk calls, viral infections, falling victim to phishing emails,
    >and more, have been quantitatively and demonstrably reduced at companies
    >that institute end-user security training.
    >
    >-- And how do you know "it" (educating end users) is not working? We
    >have no before/after comparison on what the Internet would be like if
    >all of us who preach security had stopped five years ago.
    >
    >Maybe I'm misunderstanding you, but my take-away from your blog article
    >is that you are so discouraged by end-user ignorance, you think we
    >should all stop wasting our breath on them. Your recommendation is that
    >we set up an environment through quarantining and what-not where users
    >have no opportunity to hurt themselves. In rebuttal, I cite the crusty
    >old maxim, "Genius has its limits, but stupidity is infinite." We CAN'T
    >(through technology) create an environment where clueless users can't
    >hurt themselves. To keep a network secure, we need users on our side. We
    >can get them there if we try.
    >
    >Am I really the only one on this list who thinks so? Or Marcus, did I
    >misinterpret you?
    >
    >
    >SCOTT PINZON, CISSP
    >Editor-in-Chief, LiveSecurity Service
    >WatchGuard Technologies, Inc.
    >505 5th Ave. South | Suite 500 | Seattle | WA | 98104
    >206.613.6648

    [deleted]

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Sanford Reed: "RE: [fw-wiz] The home user problem returns"