Re: [SC-L] Protecting users from their own actions

[Kenneth R. van Wyk]

Wall, Kevin wrote:
Isn't this something that users probably shouldn't be given a choice
on? Normally I would think that corporate security policy dictate
keeping the AV software / signatures up-to-date as well as dictating
the (personal) firewall configurations. Some centrally administered
software should do these things...
I agree that central administration works best in today's corporate 
environments, but I was referring also to the more general desktop 
environments as well, right down to the home and SOHO users that 
have to install and/or update their own.

Aside from that issue, though, the primary point that I wanted to get 
across is that there are substantial limitations to what we can 
accomplish through user education.  I believe that our 
software -- from enterprise app servers through desktop emailers 
and browsers -- needs to do better at protecting users, even 
when they make decisions that we would think to be unwise.

Cheers,
Ken van Wyk

RE: [SC-L] Protecting users from their own actions

[Wall, Kevin]

In Ken van Wyk's cited article at
http://www.esecurityplanet.com/views/article.php/3377201
he writes...

 As I said above, user awareness training is a fine practice
 that shouldn't be abandoned. Users are our first defense
 against security problems, and they should certainly be
 educated on how to spot security problems and who to report
 them to. By all means, teach your users to be wary of incoming
 email attachments. Teach them to keep their anti-virus software
 up to date, and their firewall software locked down tight.
 
 Do not, however, be shocked when they make the ''wrong'' choice. 

I would contend that in any sufficiently large user population the
probability that someone will open up a suspect attachment approaches
one. In fact, I think that in a sufficiently large population, this
probability approaches 1 even if:

1) the e-mail were from a complete stranger;
2) the name of attached file was
   i_am_a_worm_that_will_destroy_your_harddrive.exe.

(#2 assuming that your mail filter didn't catch something so
obvious -- and it it didn't, time to revise your filtering
rules! ;-)

So, I completely agree that we ought to EXPECT that users will do
foolish things (with malice or out of ignorance--I'm not trying to
make a moral judgement here) and thus we need to be prepared to
practice security in depth.

However, (repeating here, from above) Ken also wrote...

 ... Teach them [users] to keep their anti-virus software
 up to date, and their firewall software locked down tight.

I'm not sure why this is something that should be left up to users.
Isn't this something that users probably shouldn't be given a choice
on? Normally I would think that corporate security policy dictate
keeping the AV software / signatures up-to-date as well as dictating
the (personal) firewall configurations. Some centrally administered
software should do these things. I don't think that (except under very
rare circumstances), users should even be given a _choice_ about
such things. While that may seem Draconian to some, thats what works
best in practice.

Cheers,
-kevin
---
Kevin W. Wall   Qwest Information Technology, Inc.
[EMAIL PROTECTED]   Phone: 614.215.4788
The difference between common-sense and paranoia is that common-sense
 is thinking everyone is out to get you. That's normal -- they are.
 Paranoia is thinking that they're conspiring.-- J. Kegler