Clearly today isn't such a bad day: I feel constructive, perhaps the coffee from the freshly opened pack is having an influence on my neurons.
Believe it or not people actually pay to listen to me teach Intrusion Detection although they pay for the course quality not necessarily the lecturer. This might lead you to the wrong conclusion that security people actually teach security. They do, but you need to qualify the remark: they teach security to other security people.
The problem is how to educate the masses. It doesn't help that much to have an amazingly good security analyst on-site if the rest of the staff view attachments as something you should always open. The poor analyst might shout, scream, write memos but the bottom line is that you need to get to the end-users.
Has anybody managed? Well, Microsoft has been educating the masses in precisely the opposite direction, the mantra being: let us make everything so easy and obvious that nobody will have problems using Outlook or Windows (I'd be honoured to present my mother as an example of how hopeless their usability studies are). This has meant that people, already scared by computers in the first place, now try to get their work done as quickly as possible without applying any of the common sense of their day-to-day lives. So off they go clicking on attachments, handing out passwords over the phone (would they ever hand out their ATM card PIN? Of course not but a computer password is a different matter, is it not?).
In the mix you can throw the false sense of security of anti-virus products which, when badly maintained (ie. the majority of cases), are about as useful as leaving your front door open assuming that the alarm in the off position will work. The cherry on top is a badly configured "personal firewall" which the vast majority of users wouldn't have a clue about in the first place, never mind configuring it properly. The final result is the warm and fuzzy feeling of "security" which is so far removed from the truth that you could almost call it fraud and, most important of all, a fundamentally scared user. Scared of the technology, not> about the security implications of his misunderstandings.
So the real challenge is to improve the true single weak link of the security chain: the user.
Amazingly enough I believe this can be done. First of all we, as in the security practitioners, need to descend from our ivory tower and understand that users are not generally stupid. Their abilities simply lie in a different field. Just because they do not appreciate the finer point of how to encode NOPs in shellcode doesn't mean that they cannot understand security. The question is one of "conditioning". In a major city do you leave your car unlocked, the keys in the dashboard and the door ajar? Probably not. Why? Because the environment around you has made you aware that this isn't the best of plans. Sometimes the explanation has been from people at other times an event helped ("Oh. Where's the car?").
So we need to create this environment and we need to create it via peer-pressure. Having tried coercion ("though shall not use Internet Explorer") I can attest that it doesn't work. The first time the replacement doesn't work they just click on the icon and off they go (with due credit to Microsoft for making IE inextricably linked into Windows). To raise security awareness you need to find examples which people can relate to.
One issue which does focus minds is prison terms. In the UK the Data Protection Act 1998 does mention that the people responsible for data held under the DPA could face a prison term. That works but only partially for two reasons: one is that nobody has ended up in jail yet, the second is that it is too much of a stick and not enough of a carrot.
I've also tried explaining in excruciating detail how a virus works and why attachments are bad. That was a bad plan. Just like you don't expect a neurosurgeon to explain the finer parts of an operation to you, users find hour long explanations rather tiring and wander off within ten minutes of starting. They also think you are lecturing them.
Pride does strike a chord with a few people. The line: "Think about our competitor, company X which has been down for two days because of a virus. Because we don't run Exchange and you are vigilant with attachments we were totally unaffected". This works until the usual Microsoft zealot comes round and start telling everybody that company X didn't install the software "properly" (shouldn't that be that they installed it in the first place?).
So far my success rate has been low, abysmally low but I am not giving up, at lest today.
Posted by arrigo at November 21, 2002 12:17 PM