RE: User Education (was: New article on SecurityFocus)





> -----Original Message-----
> From: Brady McClenon [mailto:BMcClenon@xxxxxxxxxxxxxxxxx]
> Sent: Monday, January 09, 2006 5:15 PM
>
> Let C-level execs decide it's not worth their time, don't decide for
> them. If they choose not to educate themselves or their
> staff, ok, but
> the IT staff should not be telling them it's pointless. If you don't
> have the time, ask for help, if they turn down the notion, ok, you
> tried. Not trying at all is what is wrong.

Well I've got the CIO on board... =) I agree that IT shouldn't tell the
staff it's pointless, but I also believe IT security shouldn't depend on
user education (for reasons already stated), and executives have a hard
time spending time and money on something they aren't supposed to depend
on. I can say "User education can make things better" but I can't
quantify it and that's what they want.

> Security is everyone job. Education is not just teaching technical
> details and explaining new policies, it's convincing them they should
> believe what is being done is important. Gaining that trust is the
> hardest part. It's why I think it's important not to knee jerk on any
> vulnerability that arise, like WMF. When a security professional run
> around screaming the sky is falling, and then it come far far short of
> the hype, you lose credibility among your users.

Security should be everyone's job but not everybody does it. And it's
just as hard to gain user trust when the network has been hosed as it is
when you cry wolf. As far as WMF is concerned, the threat is real. What
everybody's arguing about here is the fallout, which has been agreeably
mild.

I'd much rather scare everybody and have nothing happen. Then I can say,
"Good job guys! Because of all your hard work we didn't get hit with
WMF." It's a lot nicer than my bosses asking me why the network is down
or why they have IE toolbars they didn't install.

> Again with the "can't". Yes they can, perhap not as fast or
> as well as
> you, but can with proper training. They don't need to know
> everything,
> just the basics. Will they retain it all? No. That's human nature.
> What was that study results about college students given their final
> exam from the previous semester to them again when come back for the
> next semester. It's something like scores are 50% lower on average or
> something astounding like that. Do expect so much from people.

We have a higher percentage of technical users than what I imagine is
the norm, and while they can typically use their computers with minimal
to no support they can't seem to relate the importance of security to
their jobs. I hear "Who wants to hack us?" or "I'm just trying to do my
job" or "No hacker would ever think to try the password 'asdfasdf'"...
And that's the IT side.

I reinforce the basics quite often, and I think it's been worthwhile,
but we've still had the occasional virus or spyware problem. Again, it
only takes one user.

> And they should not be paranoid. Paranoia is an irrational
> fear. They
> should be taught to understand that your concerns are not
> irrational.
>
> Saying "Just delete it, that's spam" is not user education. Showing
> them how you know it's spam or a phishing attempt is user education.

What I call common sense is translated as paranoia by users. It's why I
never have spyware on my workstation and certain user machines have to
be purged of it frequently.

I first told the user who presented me with the CIA spam that the CIA
would never contact us via email in that manner. It's just common sense
and I don't know how to teach that.

> > 4. Some users refuse to follow the rules. Just as there are
> plenty of
> > bad drivers who passed driver's ed, there are users who willfully
> > disregard policies or attempt to circumvent software designed
> > to protect
> > them. Since it usually only takes one internal user to infect the
> > network, this point alone seriously dings any benefit to be had from
> > user education. You can't depend on it as a defined layer
> of security
> > because you don't know where the holes are.
>
> True, but imagine if their office mates bought in to your security
> measures. It's amazing what a little peer pressure can do.

Peer pressure won't stop a malicious user.


> So what security measures did you have in place for the dreaded WMF
> exploit? User education was probably the only thing short of pulling
> your internet connection that could have helped save you. Imagine, if
> it was as bad as everyone thought.

For WMF I sent an email to everyone briefly explaining the vulnerability
(i.e., you can get infected by simply viewing a picture) and instructing
them to unregister the Picture and Fax Viewer DLL (a copy and paste of
the Microsoft instructions). Then I started blocking known sources of
WMF exploits as listed on F-Secure's blog at the firewall and our proxy.
Finally, I blocked all images at our email gateway. When our AV vender
came out with an update I stood over the central management console
until all the machines were updated.

I didn't install the unofficial patch but I seriously considered it
until MS released their patch early (I learned about it Friday morning).
I went into Group Policy and changed the Automatic Update detection
frequency to 4 hours instead of 12 and instructed our users to leave
their computers on over the weekend. I stayed up late Saturday night
(we're a 24/7 ASP) updating all of our servers.

User education may have very well saved us from getting hit in the first
few days, but there's no way to qualify that, and that's why I can't
depend on it.


> > Expecting user sophistication to grow with malware
> > sophistication as an
> > answer to poorly designed software and systems just doesn't
> > make sense.
> > You can ingrain a few basics into peoples' heads (don't open
> > attachments
> > from people you don't know, don't follow links in emails from
> > people you
> > don't know, don't surf to questionable sites) but after
> that is where
> > security professionals are supposed to take over.
>
> True, but you'd be surpised how many people won't go that far
> with their
> users. Also, I never stated or ever implied that user education is a
> replacement for AV software, firewalls or any other security measure.
> To ever say, or imply such would be irresponsible. It is only another
> layer used in limiting risk.

I didn't mean to imply that, it seemed to me the end result of the logic
in Susan's post. I think user education was being used as an excuse for
a poorly designed file type, i.e., if users had been educated then it
wouldn't matter that WMF can execute code. I was making the point that
user education can't replace other security measures, and so if I have
to allocate my time and money it'll go to things I have technical
control over first. I see user education as a final layer, to be
"implemented" sparsely while other layers are being put in place.


Derick Anderson

---------------------------------------------------------------------------
---------------------------------------------------------------------------