Re: [SC-L] Protecting users from their own actions

2004-07-07 Thread Kenneth R. van Wyk 
Wall, Kevin wrote:
Isn't this something that users probably shouldn't be given a choice
on? Normally I would think that corporate security policy dictate
keeping the AV software / signatures up-to-date as well as dictating
the (personal) firewall configurations. Some centrally administered
software should do these things...
I agree that central administration works best in today's corporate 
environments, but I was referring also to the more general desktop 
environments as well, right down to the home and SOHO users that 
have to install and/or update their own.

Aside from that issue, though, the primary point that I wanted to get 
across is that there are substantial limitations to what we can 
accomplish through user education.  I believe that our 
software -- from enterprise app servers through desktop emailers 
and browsers -- needs to do better at protecting users, even 
when they make decisions that we would think to be unwise.

Cheers,
Ken van Wyk

RE: [SC-L] Protecting users from their own actions

2004-07-06 Thread Wall, Kevin 
In Ken van Wyk's cited article at
http://www.esecurityplanet.com/views/article.php/3377201
he writes...

> As I said above, user awareness training is a fine practice
> that shouldn't be abandoned. Users are our first defense
> against security problems, and they should certainly be
> educated on how to spot security problems and who to report
> them to. By all means, teach your users to be wary of incoming
> email attachments. Teach them to keep their anti-virus software
> up to date, and their firewall software locked down tight.
> 
> Do not, however, be shocked when they make the ''wrong'' choice. 

I would contend that in any sufficiently large user population the
probability that someone will open up a suspect attachment approaches
one. In fact, I think that in a sufficiently large population, this
probability approaches 1 even if:

1) the e-mail were from a complete stranger;
2) the name of attached file was
   "i_am_a_worm_that_will_destroy_your_harddrive.exe".

(#2 assuming that your mail filter didn't catch something so
obvious -- and it it didn't, time to revise your filtering
rules! ;-)

So, I completely agree that we ought to EXPECT that users will do
foolish things (with malice or out of ignorance--I'm not trying to
make a moral judgement here) and thus we need to be prepared to
practice "security in depth".

However, (repeating here, from above) Ken also wrote...

> ... Teach them [users] to keep their anti-virus software
> up to date, and their firewall software locked down tight.

I'm not sure why this is something that should be left up to users.
Isn't this something that users probably shouldn't be given a choice
on? Normally I would think that corporate security policy dictate
keeping the AV software / signatures up-to-date as well as dictating
the (personal) firewall configurations. Some centrally administered
software should do these things. I don't think that (except under very
rare circumstances), users should even be given a _choice_ about
such things. While that may seem Draconian to some, thats what works
best in practice.

Cheers,
-kevin
---
Kevin W. Wall   Qwest Information Technology, Inc.
[EMAIL PROTECTED]   Phone: 614.215.4788
"The difference between common-sense and paranoia is that common-sense
 is thinking everyone is out to get you. That's normal -- they are.
 Paranoia is thinking that they're conspiring."-- J. Kegler

[SC-L] Protecting users from their own actions

2004-07-06 Thread Kenneth R. van Wyk 
Hi All,

FYI...  This topic has come up here a few times, so I thought that I'd send a 
pointer to my July eSecurityPlanet column 
(http://www.esecurityplanet.com/views/article.php/3377201 - free, no registration 
required).  In the column, I take the seemingly unpopular view --at least in 
this group -- that we can't count on things like user awareness training to 
prevent users from doing things like clicking on unsafe email attachments.  I
also make a plug for better software security across the industry.

Cheers,

Ken van Wyk
-- 
KRvW Associates, LLC
http://www.KRvW.com