In Ken van Wyk's cited article at
http://www.esecurityplanet.com/views/article.php/3377201
he writes...
> As I said above, user awareness training is a fine practice
> that shouldn't be abandoned. Users are our first defense
> against security problems, and they should certainly be
> educated on how to spot security problems and who to report
> them to. By all means, teach your users to be wary of incoming
> email attachments. Teach them to keep their anti-virus software
> up to date, and their firewall software locked down tight.
>
> Do not, however, be shocked when they make the ''wrong'' choice.
I would contend that in any sufficiently large user population the
probability that someone will open up a suspect attachment approaches
one. In fact, I think that in a sufficiently large population, this
probability approaches 1 even if:
1) the e-mail were from a complete stranger;
2) the name of attached file was
"i_am_a_worm_that_will_destroy_your_harddrive.exe".
(#2 assuming that your mail filter didn't catch something so
obvious -- and it it didn't, time to revise your filtering
rules! ;-)
So, I completely agree that we ought to EXPECT that users will do
foolish things (with malice or out of ignorance--I'm not trying to
make a moral judgement here) and thus we need to be prepared to
practice "security in depth".
However, (repeating here, from above) Ken also wrote...
> ... Teach them [users] to keep their anti-virus software
> up to date, and their firewall software locked down tight.
I'm not sure why this is something that should be left up to users.
Isn't this something that users probably shouldn't be given a choice
on? Normally I would think that corporate security policy dictate
keeping the AV software / signatures up-to-date as well as dictating
the (personal) firewall configurations. Some centrally administered
software should do these things. I don't think that (except under very
rare circumstances), users should even be given a _choice_ about
such things. While that may seem Draconian to some, thats what works
best in practice.
Cheers,
-kevin
---
Kevin W. Wall Qwest Information Technology, Inc.
[EMAIL PROTECTED] Phone: 614.215.4788
"The difference between common-sense and paranoia is that common-sense
is thinking everyone is out to get you. That's normal -- they are.
Paranoia is thinking that they're conspiring." -- J. Kegler
