RE: [fw-wiz] The home user problem returns

From: R. DuFresne (
Date: 09/14/05

  • Next message: Tina Bird: "RE: [fw-wiz] The home user problem returns"
    To: Scott Pinzon <>
    Date: Tue, 13 Sep 2005 20:19:33 -0400 (EDT)

    Hash: SHA1

    On Tue, 13 Sep 2005, Scott Pinzon wrote:

    > I've been watching with a certain morbid fascination as Marcus has
    > ranted in his own blog and in FW-WIZ (and who knows where else) that
    > educating users about security is one of the "dumbest ideas" and "if it
    > was ever going to work, it would have by now." I have tremendous respect
    > for you, Marcus (epecially since you have, I dunno, six times the years
    > in computer security that I do). But I can't help feeling, in my
    > pipsqueak opinion, that on this one you're way off base.
    > My reasoning, in short:
    > -- Ignorance is never better than knowledge in any realm. But particular
    > to network security, my experience is that most clueless users are also
    > people of good will who will cease dangerous behaviors once they
    > understand those behaviors ARE dangerous.
    > -- Educating users is another layer in "Defense in depth." If 10 out of
    > 100 users click evil email attachments, and through education you reduce
    > that to 3 out of 100, you've improved that layer.
    > -- Educating users has been proven to work at company after company.
    > Help desk calls, viral infections, falling victim to phishing emails,
    > and more, have been quantitatively and demonstrably reduced at companies
    > that institute end-user security training.
    > -- And how do you know "it" (educating end users) is not working? We
    > have no before/after comparison on what the Internet would be like if
    > all of us who preach security had stopped five years ago.
    > Maybe I'm misunderstanding you, but my take-away from your blog article
    > is that you are so discouraged by end-user ignorance, you think we
    > should all stop wasting our breath on them. Your recommendation is that
    > we set up an environment through quarantining and what-not where users
    > have no opportunity to hurt themselves. In rebuttal, I cite the crusty
    > old maxim, "Genius has its limits, but stupidity is infinite." We CAN'T
    > (through technology) create an environment where clueless users can't
    > hurt themselves. To keep a network secure, we need users on our side. We
    > can get them there if we try.
    > Am I really the only one on this list who thinks so? Or Marcus, did I
    > misinterpret you?

    If enduser education was the answer and worked in any sense effectivly,
    then a number of companies that make their entire income from this, in the
    corporate market, would be working themselves out of existance We'd also
    have wittnessed a dramatic decrease in the home user issue due to the
    fact that most home users also are in their employment dealing with
    computers and enduser training in the worklplace. Some of those "well
    learned and honed habits" should have migrated home with them.
    Seriously, I've worked in security settings such as MSSP's whence
    ten minutes after the user training about how to handle e-mail and
    attachments properly and safely a tech on the front lines cublicle next to
    me, as well as a mgr in the office on mgt row down the hall, both
    unleashed the current variant of viri upon the whole network.

    Again. part of the problenm is greed, and the other part of the problem is
    that people tend to have this erronious attitude that what happens on the
    network/internet/home net/thei desktop at work/desktop at home, is not
    life impacting, as networking and computing are becoming integeral to our
    daily life functions and interactions as a whole. Both tending to help
    foster what Marcus talks of the tendency to think "h4cking 1s c00l" and an
    end to a means to get a good paying job in the industry.


    Ron DuFresne
    - --
             admin & senior security consultant:
    Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629

    ...We waste time looking for the perfect lover
    instead of creating the perfect love.

                     -Tom Robbins <Still Life With Woodpecker>
    Version: GnuPG v1.2.4 (GNU/Linux)

    -----END PGP SIGNATURE-----
    firewall-wizards mailing list

  • Next message: Tina Bird: "RE: [fw-wiz] The home user problem returns"