RE: New article on SecurityFocus

The primary issue with training is not whether it's done or not, rather,
the issue is the same as with any other significant I.T. implementation
- lack of senior management support.

The question I ask myself is: Why is this training so ineffectual? It
is simply because most users don't care. It's not their core
competency, like it is ours. They are not measured against it or held
accountable (generally speaking) for not knowing it.

What would be the ramifications if a user brings in a worm vs an I.T.
employee doing the same? Their manager calls you to fix it and tells
them not to worry about it too much, and try not to do it again. If you
(IT employee) are lucky all you get is 8 hours of clean up work and the
infinite scorn of your peers. More than likely, however, you get a
black-eye for your review or perhaps worse--i.e. accountability.

When and only when senior management embraces IT security training, as
part of OJT knowledge that you are held accountable for, is when it will
become effective. Policies do not work, unless you are using them to
fire someone and you can point backwards to something they were supposed
to read, but didn't. Until you reach that point of all encompassing
acceptance, spend enough money to comply with [insert applicable,
overbearing Code of Federal Regulations citation here], spend your time
on making your systems user-proof and do your best to evangelize
whenever you have the opportunity.

>>> "Derick Anderson" <danderson@xxxxxxxxx> 1/9/2006 4:26:18 PM >>>

> -----Original Message-----
> From: Richard Zaluski [mailto:rzaluski@xxxxxxxxxxxx]
> Sent: Monday, January 09, 2006 1:46 PM
> To: 'Brady McClenon'; Derick Anderson;
> pen-test@xxxxxxxxxxxxxxxxx; focus-ms@xxxxxxxxxxxxxxxxx
> Subject: RE: New article on SecurityFocus
> I agree with Brady, it's frustrating to hear the same thing
> over and over as
> an excuse. Even a little education goes a long way. Yes sure
> you will always
> have the few people who just don't get it but does that mean
> you abandon the
> whole concept? No, not in our books.

Let me make it clear that I'm not "abandoning" user education and I'm
not denying the benefits of it. However in the context of security (a
separate issue from job training) I don't believe the benefits are
the cost.

I used to believe that if users were trained properly then they
need anti-spam/virus/spyware/etc. because they'd know better than to
stupid things like click on links to pictures of naked tennis players.
used to put forth a lot of effort trying to educate users, thinking if
they knew the truth that their habits would surely improve. But as
said in my other post, a lot of users don't care or can't understand,
and it just doesn't make economic sense (to me) to spend time and
when the practical and technical outcome (from a security perspective)
is essentially the same.

> We (iVOLUTION) are a training and services company and have
> done corporate
> training in Security Awareness. Even some of the basic
> principles we teach
> have an immediate impact on calls to the help desk.

Every once in awhile I spam our users with a "how not to get owned by
the internet" spiel, which reminds them of the basics of emails and
attachments. I've got nothing against the basics here, but expecting
education to compensate for good security practices and securely
designed systems is going too far.

If a company has excess funds and time for this sort of thing after
hardening their workstations, servers and network, implementing
additional layers of security, and auditing network usage policies,
great. Otherwise, spend the money and time securing things that don't
have minds of their own. =)

> I think for the case of the 'Best Buy's' out there providing
> training along
> with a PC, it's a nice thought, but it's a cost to them
> unless they can
> market it and make money on it its not going to happen. The
> margins on PC
> sales are thin so any additional costs added on is a hard sell to
> management. Companies such as that are into moving inventory.

Agree. The last time I bought a car, the dealer didn't make me re-take
driver's test.

> Thanks
> Richard Zaluski
> CISO, Security and Infrastructure Services iVOLUTION
> Technologies Incorporated
> 905.309.1911
> 866.601.4678
> rzaluski@xxxxxxxxxxxx

Derick Anderson


Confidentiality Notice: The information contained in this e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information, or Protected Health Information as such term is defined under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Any unauthorized review, use, disclosure, copying or distribution is prohibited and may be unlawful. If you believe you have received this e-mail in error, please contact the sender by reply e-mail and delete all copies of
the original message, including attachments.


Relevant Pages