RE: [fw-wiz] The home user problem returns

From: Hawkins, Michael (MHawkins_at_TULLIB.COM)
Date: 09/14/05

  • Next message: Tina Bird: "RE: [fw-wiz] The home user problem returns" 
    To: "hermit921" <hermit921@yahoo.com>, <firewall-wizards@honor.icsalabs.com>
Date: Tue, 13 Sep 2005 20:06:00 -0400

    Look what was said some time ago:

    "The superior man, when resting in safety, does not forget that danger
    may come. When in a state of security he does not forget the possibility
    of ruin. When all is orderly, he does not forget that disorder may come.
    Thus his person is not endangered, and his States and all their clans
    are preserved." -- Confucius

    Ask yourself this question: Why did Confucius feel the need to say the
    above? Was it because all people are constantly aware of existing and
    new threats as they exist in and around their environment? Or was it
    because Confucius knew that people were habitually forgetful entities
    that quickly fall into the most hideous comatose states before a
    repeated unwanted event wrenches them back to reality where they linger
    only momentarily in their sorrow before falling back into the same
    comatose life, happily cruising along into their next repeated
    misadventure?

    Mike Hawkins

    Office: 212-208-3888

    Mobile: 917-887-3614

    -----Original Message-----
    From: firewall-wizards-admin@honor.icsalabs.com
    [mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of
    hermit921
    Sent: Tuesday, September 13, 2005 6:46 PM
    To: firewall-wizards@honor.icsalabs.com
    Subject: RE: [fw-wiz] The home user problem returns

    I will weigh in with my experience. About 2000 users in my company, and

    nearly 20% of them managed to get infected during one week a year or two

    ago. That mess generated enough pressure that many of the desktops now
    have patches forced onto them, but almost none of the users learned
    anything. I take that back, several of them learned I am a NUT, because
    I
    said Internet Explorer isn't safe to use.

    On the good side, I have a friend who is almost totally computer
    illiterate, but has never had a virus or spyware or any other malware.
    Rule #1: never double click any attachment. If you have to open it,
    choose
    a program that should open that type of file and do a File -> Open.
    Blindly following these rules has kept her safe for over 10 years. So I

    know people can learn, at least by rote, regardless of understanding.
    Rule #2: never use Microsoft software. This probably helps an immense
    amount, too.

    hermit921

    At 10:09 AM 9/13/2005, Scott Pinzon wrote:
    >I've been watching with a certain morbid fascination as Marcus has
    >ranted in his own blog and in FW-WIZ (and who knows where else) that
    >educating users about security is one of the "dumbest ideas" and "if it
    >was ever going to work, it would have by now." I have tremendous
    respect
    >for you, Marcus (epecially since you have, I dunno, six times the years
    >in computer security that I do). But I can't help feeling, in my
    >pipsqueak opinion, that on this one you're way off base.
    >
    > My reasoning, in short:
    >
    >-- Ignorance is never better than knowledge in any realm. But
    particular
    >to network security, my experience is that most clueless users are also
    >people of good will who will cease dangerous behaviors once they
    >understand those behaviors ARE dangerous.
    >
    >-- Educating users is another layer in "Defense in depth." If 10 out of
    >100 users click evil email attachments, and through education you
    reduce
    >that to 3 out of 100, you've improved that layer.
    >
    >-- Educating users has been proven to work at company after company.
    >Help desk calls, viral infections, falling victim to phishing emails,
    >and more, have been quantitatively and demonstrably reduced at
    companies
    >that institute end-user security training.
    >
    >-- And how do you know "it" (educating end users) is not working? We
    >have no before/after comparison on what the Internet would be like if
    >all of us who preach security had stopped five years ago.
    >
    >Maybe I'm misunderstanding you, but my take-away from your blog article
    >is that you are so discouraged by end-user ignorance, you think we
    >should all stop wasting our breath on them. Your recommendation is that
    >we set up an environment through quarantining and what-not where users
    >have no opportunity to hurt themselves. In rebuttal, I cite the crusty
    >old maxim, "Genius has its limits, but stupidity is infinite." We CAN'T
    >(through technology) create an environment where clueless users can't
    >hurt themselves. To keep a network secure, we need users on our side.
    We
    >can get them there if we try.
    >
    >Am I really the only one on this list who thinks so? Or Marcus, did I
    >misinterpret you?
    >
    >
    >SCOTT PINZON, CISSP
    >Editor-in-Chief, LiveSecurity Service
    >WatchGuard Technologies, Inc.
    >505 5th Ave. South | Suite 500 | Seattle | WA | 98104
    >206.613.6648

    [deleted]

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    The information contained in this email is confidential and may also contain privileged information. Sender does not waive confidentiality or legal privilege. If you are not the intended recipient please notify the sender immediately; you should not retain this message or disclose its content to anyone.
    Internet communications are not secure or error free and the sender does not accept any liability for the content of the email. Although emails are routinely screened for viruses, the sender does not accept responsibility for any damage caused. Replies to this email may be monitored.
    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Tina Bird: "RE: [fw-wiz] The home user problem returns"
    • Quantcast