[Geeks are Sexy] technology news

Thursday, October 12, 2006

Security Expert: User Education is Pointless!

securityLet's face it, educating your users about computer security is pointless - mainly because they just don't care about all that "boneheaded computer crap". The only thing that matters to them is their job. Don't ask them to think about anything else, they won't listen to you. The only way to effectively secure your environment is to start treating users like children (subtly, without them realizing it), and implement a security solution that enforces restrictions, therefore immediately limiting the chances of any nasty security exposure.

Users are often called the weakest link in computer security. They can't select secure passwords, and they write down passwords and give them out to strangers in exchange for treats. They use old or outdated security software, can't spell the word "phishing," and click on all links that arrive in e-mail or instant messages, and all that appear on the Web.

I'd be curious to hear about the opinions of our esteemed readership on this. So, what are your thoughts?

Read more (source: news.com)

Related [GAS] technology articles:


  • I'd say there's a certain level of education you can give them. For instance "if it's free and worth money, it really IS too good to be true--don't click it!" How to take out their own viruses? Nah, don't try to teach that. "Downloading porn and using LimeWire have a very good chance of giving you viruses, so unless your computer is worth less than a few cds and a copy of Playboy, don't do that stuff" seems pretty self-explanatory too.

    By Blogger Mackenzie, at 1:49 AM  

  • Users Are Stupid. Everyone has a friend whose mom or dad uses the same four digit code for every PIN and password they've got, because "it's easy to remember". In the 90's Gateway's programmable keyboards had to be stripped from offices everywhere because users regularly tripped over features they couldn't handle and created excessive service calls. You wouldn't expect the average driver to do well at the Daytona 500 and you can't expect the average user to understand (or even recognize) the pitfalls set by "evil" IT professionals wanting to compromise your system.

    By Blogger Wolfman, at 4:16 AM  

  • My thoughts:
    1) Security is an illusion. Any system that users can access, crackers can crack.
    2) Security rules are often idiotic. Case in point, password complexity rules. The more complex you require a password to be, the more likely the user is to write it down on a scrap of paper under his keyboard. That's not what anybody would call secure, is it?
    3) If you can't educate your users about security, then all is lost.
    4) Treating your users like children means they will be about as effective as children. Do you really want to sacrifice productivity for security in the workplace? The obvious answer (in my opinion) is "no", but already I see it happening.
    5) Some users may be (okay, *are*) idiots, but others are not. How do you differentiate? Do you insult the capable users (like, say, your programmers, or your IT staff) by treating them like idiots? (In my corporation, unfortunately, the answer is "yes", and productivity suffers greatly).

    By Blogger Wolfger, at 6:28 AM  

  • here's a few thoughts:

    1- some users, even when repetively told not to give their password to anybody, do so at the 1st occasion possible when an outside consultant/technician ask them for it (and that happens in ANY corporation).

    2- Same goes about browsing the web, reading emails, clicking on links. You can't ask them to determine what is a good and valid link, or one to a phishing/ malware spreading website.

    3- Even if told not to install software by themselves by the company they're working for, they will often do so anyway(wether they bring it from their home, or d/l them from the net). The only way to prevent them to do this is

    - Remove their administrative priviledges on their local machines (Too many people still allow that, not always by choice but by need - some applications do not work without these priviledges).
    - Use a web filtering application to disallow download to certain file extension

    I know that some users are bright enough to realize that there's somethings that they shouldn't do, but unfortunately, it's not the case with everyone of them. Since you cannot apply a weaker security policy to only a select few (why take the risk), you have to apply a very strong one that will prevent them of doing anything before they actually have the chance to do so.

    By Blogger Kiltak, at 6:53 AM  

  • This is, for the most part, true.
    When it comes to network security, you are trusting your corporate membership to keep passwords up to date, to make sure they are not sharing their work with "Everyone" - "Full Control" for only two people on their team, or as some say, write their passwords under their keyboard. I have two executives who write their passwords in the front page of their notebooks!

    One thing we are all taught (or should be) when going to school to be IT professionals is, "Never trust the end-user". Inevidibly, if you do, something will go wrong... or your network will become a mess...

    Ironically, the one place we do trust our end-users is when it comes to security... the only place i know where they're paranoid about security - is Korea... they pretty much do it right - but sometimes, too much security reduces the level of efficiency so much, that i question the methods!

    what a conundrum!

    By Blogger AlRo, at 7:41 AM  

  • There's a guy in my dorm who took his Mac to be fixed. They told him he had the security of a government machine. He has passwords to get into it, more passwords to get online, more passwords to open applications....he's kind of nuts, but if I'm running a company with sensitive information, he's the kind of person I want touching the computers. Unfortunately, he's not common. I'll admit I have bad password policies. I really do need to up the security on a lot of my passwords, but until now the only things I had accessible by pw were things like email and myspace. I do use totally separate passwords for financial things, but even then, I know my passwords are weak. A bruteforce attack would work easily on my passwords, but at least I'm not quite dumb enough to use my stupid password on my bank account. I'm not gonna make it THAT easy.

    Maybe the IT guys in companies could make it so that if an employee has to have a password for logging in, for editting data sheets, and for email, have a program that checks that all 3 passwords are different--and not just pass1 pass2 pass3, but like /. is: "this is too similar, please pick something more differentiated".

    By Blogger Mackenzie, at 12:40 PM  

  • The problem with that Mackenzie - as was mentioned above, is that people would start loosing track of all of their password and end up writing them down anyways - pretty much poo-pooing the security you're trying to maintain.

    I see what you're saying tho'.
    Here we have a 3 month/8 password memory policy for passwords - and we require one Capital, one wild card and one numeric in a 8character length password.

    Now multiply that by how many other application that we may throw at our users that have independant security; be it, DocuShare, Bugzilla or like bugtrackers, CVS or clearcase for Code-Storage repositories... and people at the 3 month mark when they have to do it all over again - will just start writing them down in notebooks or on their desktop in an unlock .txt file.

    For travelling people - we ensure that their bios is password protected, their PST's are password protected and that they have a 5 minute locking screensaver...

    By Blogger AlRo, at 1:44 PM  

Post a Comment

Links to this post:

Create a Link

<< Home