-----Original Message-----
From: Brady McClenon [mailto:BMcClenon@uamail.albany.edu]
Sent: Monday, January 09, 2006 5:15 PM
Let C-level execs decide it's not worth their time, don't decide for
them. If they choose not to educate themselves or their
staff, ok, but
the IT staff should not be telling them it's pointless. If you don't
have the time, ask for help, if they turn down the notion, ok, you
tried. Not trying at all is what is wrong.
Well I've got the CIO on board... =) I agree that IT shouldn't tell the
staff it's pointless, but I also believe IT security shouldn't depend on
user education (for reasons already stated), and executives have a hard
time spending time and money on something they aren't supposed to depend
on. I can say "User education can make things better" but I can't
quantify it and that's what they want.
Security is everyone job. Education is not just teaching technical
details and explaining new policies, it's convincing them they should
believe what is being done is important. Gaining that trust is the
hardest part. It's why I think it's important not to knee jerk on any
vulnerability that arise, like WMF. When a security professional run
around screaming the sky is falling, and then it come far far short of
the hype, you lose credibility among your users.
Security should be everyone's job but not everybody does it. And it's
just as hard to gain user trust when the network has been hosed as it is
when you cry wolf. As far as WMF is concerned, the threat is real. What
everybody's arguing about here is the fallout, which has been agreeably
mild.
I'd much rather scare everybody and have nothing happen. Then I can say,
"Good job guys! Because of all your hard work we didn't get hit with
WMF." It's a lot nicer than my bosses asking me why the network is down
or why they have IE toolbars they didn't install.
Again with the "can't". Yes they can, perhap not as fast or
as well as
you, but can with proper training. They don't need to know
everything,
just the basics. Will they retain it all? No. That's human nature.
What was that study results about college students given their final
exam from the previous semester to them again when come back for the
next semester. It's something like scores are 50% lower on average or
something astounding like that. Do expect so much from people.
We have a higher percentage of technical users than what I imagine is
the norm, and while they can typically use their computers with minimal
to no support they can't seem to relate the importance of security to
their jobs. I hear "Who wants to hack us?" or "I'm just trying to do my
job" or "No hacker would ever think to try the password 'asdfasdf'"...
And that's the IT side.
I reinforce the basics quite often, and I think it's been worthwhile,
but we've still had the occasional virus or spyware problem. Again, it
only takes one user.
And they should not be paranoid. Paranoia is an irrational
fear. They
should be taught to understand that your concerns are not
irrational.
Saying "Just delete it, that's spam" is not user education. Showing
them how you know it's spam or a phishing attempt is user education.
What I call common sense is translated as paranoia by users. It's why I
never have spyware on my workstation and certain user machines have to
be purged of it frequently.
I first told the user who presented me with the CIA spam that the CIA
would never contact us via email in that manner. It's just common sense
and I don't know how to teach that.
4. Some users refuse to follow the rules. Just as there are
plenty of
bad drivers who passed driver's ed, there are users who willfully
disregard policies or attempt to circumvent software designed
to protect
them. Since it usually only takes one internal user to infect the
network, this point alone seriously dings any benefit to be had from
user education. You can't depend on it as a defined layer
of security
because you don't know where the holes are.
True, but imagine if their office mates bought in to your security
measures. It's amazing what a little peer pressure can do.
Peer pressure won't stop a malicious user.
So what security measures did you have in place for the dreaded WMF
exploit? User education was probably the only thing short of pulling
your internet connection that could have helped save you. Imagine, if
it was as bad as everyone thought.
For WMF I sent an email to everyone briefly explaining the vulnerability
(i.e., you can get infected by simply viewing a picture) and instructing
them to unregister the Picture and Fax Viewer DLL (a copy and paste of
the Microsoft instructions). Then I started blocking known sources of
WMF exploits as listed on F-Secure's blog at the firewall and our proxy.
Finally, I blocked all images at our email gateway. When our AV vender
came out with an update I stood over the central management console
until all the machines were updated.
I didn't install the unofficial patch but I seriously considered it
until MS released their patch early (I learned about it Friday morning).
I went into Group Policy and changed the Automatic Update detection
frequency to 4 hours instead of 12 and instructed our users to leave
their computers on over the weekend. I stayed up late Saturday night
(we're a 24/7 ASP) updating all of our servers.
User education may have very well saved us from getting hit in the first
few days, but there's no way to qualify that, and that's why I can't
depend on it.
Expecting user sophistication to grow with malware
sophistication as an
answer to poorly designed software and systems just doesn't
make sense.
You can ingrain a few basics into peoples' heads (don't open
attachments
from people you don't know, don't follow links in emails from
people you
don't know, don't surf to questionable sites) but after
that is where
security professionals are supposed to take over.
True, but you'd be surpised how many people won't go that far
with their
users. Also, I never stated or ever implied that user education is a
replacement for AV software, firewalls or any other security measure.
To ever say, or imply such would be irresponsible. It is only another
layer used in limiting risk.
I didn't mean to imply that, it seemed to me the end result of the logic
in Susan's post. I think user education was being used as an excuse for
a poorly designed file type, i.e., if users had been educated then it
wouldn't matter that WMF can execute code. I was making the point that
user education can't replace other security measures, and so if I have
to allocate my time and money it'll go to things I have technical
control over first. I see user education as a final layer, to be
"implemented" sparsely while other layers are being put in place.
Derick Anderson
---------------------------------------------------------------------------
---------------------------------------------------------------------------
