Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: New article on SecurityFocus

from [k levinson] Network Security [Permanent Link]
Subject: RE: New article on SecurityFocus
Date: Mon, 9 Jan 2006 12:38:55 -0800 (PST) 
User education is like a firewall that lets in 20% of
all attack traffic.  You could buy one if you want,
but I wouldn't spend too much money on it or put very
much faith in it.  When it comes to, say, Blaster,
Mydoom or Code Red getting onto your network, does it
really make that much difference if 2000 people click
the wrong thing or just 2?  Either way, your network
is in trouble.

Businesses have been educating users about the same
issues [choosing good passwords and email attachment
safety] for years if not decades.  People are still
clicking on email attachments despite being educated
on that for years and years in a row.  Most of these
issues have technical countermeasures [email
attachment blocking and password complexity rules], so
why bother educating on those issues?  With only
limited funds for security, might those funds be
better spent elsewhere?

Security is not always about reducing risk, it can be
about accepting risk.  It's about studying the cost of
threats and comparing that to the cost of
countermeasures.  It is not always a given that it is
in every organization's best interest to educate
users.

I don't think it's correct to say few people in IT
security are educating their users.  From my
perspective, too much money is spent on user education
without thoughtfully evaluating the cost and the
effectiveness of that training.  I think not enough
money is generally being spent on security education
for administrators, programmers, management and
security staff.

kind regards,
karl levinson


-----Original Message-----
From: Brady McClenon

[mailto:BMcClenon@uamail.albany.edu]


This is the attitude that is rampant in the

technology sector 

that leads
to the ignorant technology user.  
Sure if
you teach 10 people at best probably 8-9 will get

it, but 

that's better
then having not tried at all.  

Very few people are willing to try to educate their

users.  

This is why is has been done by now.



                
__________________________________________ 
Yahoo! DSL ? Something to write home about. 
Just $16.99/mo. or less. 
dsl.yahoo.com 


---------------------------------------------------------------------------
---------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: New article on SecurityFocus, Richard Zaluski
Next by Date:  RE: New article on SecurityFocus, Derick Anderson
Previous by Thread:  RE: New article on SecurityFocus, Brady McClenon
Next by Thread:  RE: New article on SecurityFocus, Derick Anderson
Indexes:  [Date] [Thread] [Top] [All Lists]