Slashdot Mirror
Impressing Security Upon End-Users Visually?
get quad writes "I continually have to remind our end-users to be vigilant about the usual web security hazards, such as not clicking links in the occasional spam email that passes through our filters, avoiding suspicious websites, why some websites aren't entirely safe or appropriate for the work environment (Facebook apps, MySpace, remote access apps, proxies, etc), and the myriad other things an end-user can do to get into trouble. What I'm hoping to find are video or flash examples (mind you, in layman's terms) of what Web-based exploits/zero-day threats are capable of, how they can happen, and the harm they can ultimately cause — rather than posting links to technical docs the users will never bother to read. Getting the point across in a purely visual and less technical manner seems much more effective. Does anyone have any suggestions or experience with this type of training?"
Make a video where the user clicks "Run File" in Internet Explorer and then the building explodes.
Why cant users choose their own level of security - idiots be dammed. But I bet you find a whole bunch of people wise-up really fast. :P
Unfortunately, this and worse is pretty much true. There are people out there that no matter what you do will still make stupid mistakes anyway for the dumbest reasons and then they'll be angry with you for not magically protecting them from their own incompetence.
Your only real solution is to either keep cleaning up after them or try and get their internet access revoked somehow.
A bullet may have your name on it but splash damage is addressed "To whom it may concern."
Even easier with better impact, just give a simple security message that any wrong action on their part can open a security hole - then flash the g'tse image.
Your users will not dare to violate your security rules after that, and probably not ever again for the rest of their lives.
...about computer security? Those work so well.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
I was spending some time with some friends of mine a few months back when the inevitable malware conversation came up. These friends happened to all be quite computer illiterate. What I did instead of giving the usual spiel about malware was show them a better experience.
I sat them down and showed them how to use firefox with noscript. I showed them their favorite sites without all the baggage and they were amazed at the improved experience. I made sure I showed them how to use noscript with sites like facebook and still get what they wanted.
All of this was done in less than 15 minutes, and they now use this combination on a daily basis, not because of the improved security, but because of the improved experience. The fact that their security is improved is entirely incidental.
Note to firefox dev's, improve your enterprise management tools so that I can justify rolling out firefox to the enterprise after proving to management that it can be managed at the enterprise level. Enterprises need ways to consistently enforce policies with firefox using AD! Until this can be done firefox will never take over Internet Explorer in the Enterprise.
here is a great video that shows how to detect a phishing scam using examples http://www.youtube.com/watch?v=bzfPUmQcfDs
Symantec Security Response has an excellent video about Backdoor.Ghostnet on their youtube channel.
I think the message here is that if you don't practice safe computing, the tools exist that empower just about anyone to pwn you
There are people out there that no matter what you do will still make stupid mistakes anyway for the dumbest reasons and then they'll be angry with you for not magically protecting them from their own incompetence.
Your only real solution is to either keep cleaning up after them or try and get their internet access revoked somehow.
I have much the same experiences. I find that firewalling everything and forcing users to use a web proxy and mail gateway works pretty well. There is no reason for having office staff able to directly contact the Internet on any port.
You know what would be really cool? If you had a rewriting-proxy that would occasionally insert a cartoon spy in pages that could be unsafe, reminding/warning them about what could have happened. For example if they submitted a form with a password, and it wasn't encrypted, the spy could pop up and say "This password is unprotected, and could be snooped. Be sure not to use the same password for anything important!", and then have buttons the users could click to submit the form anyway or cancel. If they arrived on a form from a link (refer is set) you could insert the spy, reminding them to check that the URL is correct and not a phishing site, and to always type the URL for important sites, like banks.
Situational reminders like this (if not overdone) would do more to create an atmosphere of caution and thoughtfulness then a yearly presentation would.
http://www.scientificamerican.com/article.cfm?id=how-to-foil-phishing-scams
This is a good start and I'd recommend investigating the author's other published material.
Then, if you work in a company, said stupid people will undermine you. They'll make sure mgt knows you're insulting and unprofessional. Anything breaks, they'll let their bosses know that you were the one who "fixed" it and that your fixes don't work.
Treat people like children and they will usually act like children.
It's NOT me! It's the meds! I'm on 1000mg of Fukitol.
Check out Cisco's website. Really. Most of the time, they have some videos geared towards marketing and business types. They even have some cute superhero thing about threats. It drives me crazy because usually I go there for technical purposes, I want to see configuration commands and tech docs. But every once in a while I'll find a good diagram or video which gets my point across to non-techie types.
FLR
Probably a better example would be looking for a "Taken" about computer security... At least, the start of the movie, no matter how much we would like to hit, shot, stab, and put a spammer/botnet hoarder under electric shocks until the light gets cut for no payment.
it doesn't matter how you explain it to them, whether it's pretty pictures or text, they won't understand or care.
http://cisr.nps.edu/cyberciege/ is a video game designed to teach computer security concepts. In addition to its more advanced scenarios, it includes a few simple "awareness" scenarios, the first of which directly addresses your topic. Further, this animated movie: http://cisr.nps.edu/cyberciege/movies/02CIEGE.html helps the layman understand why the problem of malicious software is so hard to solve. The link includes a free evaluation version of the game.
Redtail
I figured that most people would treat videos on computer security like the videos that teachers would show at school. Their reaction?
"NO WORK!!!"
I think that what's most effective is just enforcing your security policies using Group Policy or other management tools on the network. That way, you KNOW that most people won't violate any policies set forth, and those that do are the ones that didn't need the training in the first place.
If you're really adamant about educating your employees with videos and such, find REALLY GOOD videos that will hold their attention for their entire run. Remember, at the end of the day, those computers don't belong to them and most of them simply wish to get work done. Any teaching method which can exploit these two truths for educational value is probably worth watching.
My company's solution is to lock down the systems so tightly as to turn network systems into standalone systems.
Yes, they do, on a mass scale. When applied "properly" to things like smut, terrorism, gay marriage, etc, the "Reefer Madness" tactic works very well. In fact it's still working on the drug situation also. Otherwise prohibition would have been abolished a long time ago. Do not underestimate the power of "madness".
For justice, we must go to Don Corleone
Unfortunately, there should be another article titled "study confirms that computer system administrators are also mostly idiots"... but, of course, that wouldn't win any awards on a site like arstechnica, which caters to the computer geek set, which likes to pretend that they are not idiots.
Nor on a site like slashdot, for that matter. (Moderation: troll, here it comes.... guess I'd better click that "post anonymously" box, or else I'm gonna burn through karma...)
That will be a great story to tell all those people you meet at the unemployment office, there, tough guy.
Brett
So why should they go to the inconvenience of not clicking on links that they want to, or not visiting any website that takes their fancy? By appealing to their "professionalism" or "humanity" or "team spirit" you're probably on a loser. While these might get them gee-d up for a short time, you can bet that unless there's some personal pain involved in doing it, they'll be back to their old habits in a few weeks time.
Once you can put security in terms a normal user will understand: i.e. If you click on a bad website, these bad things will happen TO YOU, they'll pay attention. Until then you haven't got a chance.
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
Nobody learns to avoid fire by being told. You have to get near and feel the heat to know you better not do it. So my advice is: make traps. Send them emails signed by other coworker asking for their password. Send them executable files that block their computer and flash a sign telling them that all their files are being erased, just because they executed a file from a unknown origin. All kind of traps, with nasty consequences if possible, you don't want them to click into everything because it can be another amusing idea of you. You want them scared of your ideas so that they look askance to every email or web page to see if it could be a trap. As they might be, so that's the right attitude.
Rome taught me patience and assiduous application to detail. Virtues which temper the boldness of great, general views.
It is pretty simple really. You have to set policy and communicate it. Then, if policy is broken the company must actually follow up with the repercussions stated in the policy. People are pretty smart - they understand repercussions. If the company doesn't back up the policy then it's not a policy, and there's no real reason for users to follow it.
What you want is an airbag behind the screen. When a virus is detected the airbag explodes out. The glass in the screen lacerates the user's face and indelible red ink on the airbag stains their skin for weeks to come.
Alternatively you could have a little water cannon under the desk that sprays their crotch so everyone thinks they wet themselves.
Only that kind of humiliation can ever hope to teach these lusers. -BOFH
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
And then you have to explain it was the users doing, not your fault supplying leaky tools like, say, Windows.
Our company runs company computers through a proxy, visitors and private laptops can connect directly.
"The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
As funny as I found your comment, as a serious note it's a bit too simplistic.
Ultimately the one weak link in security that is always present is the user. So you have to either hamper the user, and progressively cripple his ability to use the computer or you have to educate him of who to trust and who not to.
Any power you give the user is a power he can ultimately be tricked into misusing.
Mod points: Guaranteed to remove your sense of humor.
Side effects may include gullibility and temporary retardation
oh - i don't think anyone would argue that sysadmins aren't idiots - just in different spheres of knowledge or influence.
i certainly couldn't cope in finance or psycology, but I'm not put into situations where I am expected to have a full working knowledge of the minutae of those fields and then left to my own devices to function - 'idiot be dammed'
That's basically what lawnboy was apparently suggesting - and that's a theory alot of sysadmins would reject in practice (i would love it if everyone could function in that way) but most won't and so it is left to us to safeguard them from themselves as well as others as much as possible. That's all it's about - it's not disdain for the person as a human, just a recognition of their skillset and the expectation that we should realisticlly have for them.
ReaLemon is yummy
This actually worked at the small enterprise where I take care of things. A user managed to get their machine mucked up with a bunch of spyware and adware by clicking in a forwarded email. I cleaned the machine and then management called a meeting a day or two later. Had every one of the employees in attendance. I gave the standard presentation about email safety, as well as general internet safety. I sat down. The director stood up and informed everyone in the room that the next time a machine needed to be cleaned as a result of operator error, the bill for my services (not cheap) would be deducted from the relevant employee's next paycheck. A sheet of paper was then passed around, with the same directive written on it, and all employees were instructed to either sign or lose their job. They all signed.
That was two years ago. Have not had a SINGLE instance of any malware on any machine, since that time. People now ask me every time they have any doubts about what they're doing, and I've headed off a few potential catastrophes since that started happening.
I'm guessing it's not a coincidence.
Is it fascism yet?
Make yourself a laptop with a deep freeze image. this way you can infect the system at will, reboot and it's clean.
Show the people using your system just how badly a zero-day exploit can hose a system.
Reboot, show the next group. Rinse, repeat.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
The whole bloody mess is mis-engineered... The secure settings in IE are a bear to browse with, and are still vulnerable to some zero day exploits. Windows itself is a mess, how many areas are there to check for programs that load at boot?
the legacy dos files...
the run and run-once lines in the registry (all of them)
runservices
load
userinit
the startup menu
the startup menu for the user
lots of the code doesnt work unless it gets full rein to jack your system. Turn on the windows based security and programs like xfire throw a fit as they are constantly requesting to break security for legit reasons.. The security breaks usability and the idiots want to be able to just see the video from a friend without all this hassle of loading flash. Or download a file without a freak-out.
While you can limit what sites you visit. mistype google or microsoft, and theres no telling what your pc will contract.
http://www.virtualforge.de/vmovie.php
the XSS and CSRF videos are very good visualizations for the common user using simple examples.
Blessed are the pessimists, for they have made backups.
Deny internet access to repeat offenders. They soon get the message that way.
Excellent question but, unfortunately, it hit the main /. page on a Saturday. Let's just say that the percentage of readers who are IT professionals drops off significantly over the weekend. Go figure.
Most of your responses so far are along the lines of, "You NAZI! Leave your users alone and let the one's who don't learn get what they deserve." Obviously, not the response of an IT type who has to deal with regulatory requirements and wants to keep his job. You might try the same question again but on a weekday on a computer and network security related site.
Good luck with your search.
Cheers,
Dave
They that can give up essential liberty to obtain a little temporary safety deserve neither safety nor liberty.
Ben
Hi, I'm Troy McClure. You may remember me from such IT security videos as "Microsoft Explorer: Ubiquitous but Unsecure" or "Passwords: The Road to Ruin".
Just because you are paranoid does not mean that no-one is out to get you.
A demostration of the "Customer Appreciation Bat" works wonders.
Although since it's a corporate institution, the "Security Empowerment Bat" might be more effective.
In Soviet Russia, Trojan exploits YOU!
I can second that. I tried the opposite and for some reason it worked, below is a link to my own "I clicked on an email link" type virus scenario.
(Apologies for the shameless blog punt...)
http://blog.g33q.co.za/2009/07/16/why-no-operating-system-is-safe-not-one/
Since then I have done the opposite of being the bofh.
One of the girls who work there was one of the main culprits in spreading the virus around by sending the mail to EVERYONE and copying files from every darn flashdrive she can get her hands on.
So I started joking with her regarding her having the most viruses on her computer, and since they are in an open plan office I did not need to work very hard to make that apparent. Also her Outlook broke, refused to run in anything but safe mode.
I refused to fix it. I just looked at it, fooled around with it a bit and loudly proclamed "Heck it must've broken because of that virus you had!"
Since that day there has been the odd virus mail (the greeting card type ones are very popular...) there have not been a major breakout of viruses. Usually they still begin with that girl - she just don't listen about security and so on - but as soon as anyone gets NOD complaining about a virus the attitude is to get in contact with me immediately, and to not forward each other funny mails.
Heck they even refuse funnies from this girl and her flashdrive is not allowed on anyones computer - not via management directive, but because the users themselves don't want her flashdrive.
I have caused her to be a bit of a computer leper, and for that reason there has been exactly two virus scares...
Seven Days with Ubuntu Unity
I suggest you emphasize the possibilities of what the Chinese government hackers, Russian mafia, and US Customs & Border Patrol will do to them if they don't practice proper security procedures. A scene from "Deliverance" that will get the point across. You know what I'm talking about.
The Russians have won. They have made the world a cesspool of distrust, greed, fear and hate.
I think you under-estimate how easy it is to train dogs.
Rule of Slashdot #0: You and people like you are not representative of the larger population. - A.C.
Only after you give them tons of doggy treats which, as far as I can tell, there are no substitutes for in training humans. We are SOL.
Sunbelt Security had a video posted of what occurs when you got hit by the old WMF bug awhile back. You could see software being installed, icons appearing on the desktop, and the desktop background being modified as this thing went to town and began popping fake AV warnings. It was one of THE most extreme and informative examples I can think of for this.
Here's a copy of it I found on Youtube. A search for "WMF exploit" on YouTube will get you plenty of hits :-)
http://www.youtube.com/watch?v=WTBcDJ9kJH4
IMO, I think this answers your question!
Build it, Drive it, Improve it! Hybridz.org
Huh. Where I happen to live in soviet Canuckistan, both having your wages deducted for accidental damages caused on the job AND being forced to sign something under the threat of losing your job are both illegal.
Something vaguely similar happened at where I work. Weekend attendance had been optional for a very very long time, but management felt that too many people were just taking every weekend off because, well, people like their weekends. Anyways, to try and boost attendance they tried to make everyone sign an agreement basically saying that everyone had to work every single weekend unless excused, and excuses had to be given up to three weeks in advance... and this was all under a threat of "or else". A few of the sheeple signed right away for fear of losing their jobs. When it got round to me, I just laughed and threw the paper in the garbage. My boss tried to give me shit (this was infront of a dozen co-workers, so he had to make a stand) but I interrupted him to inform him that he could not unilaterally renegotiate my job description or fire me if I didn't agree to it, and if he ever tried to push me (or any of us) around like that again, that the provincial labour board would come down on the place like a ten thousand pound bag of shit for it and all the other little skeletons-in-the-closet that I knew about. The next day their little piece of paper disappeared without a trace.
YMMV.
The director stood up
You found the holy grail of successful IT endeavors, (including educating end users) - executive buy-in and support. I know at least a dozen companies in which the executives pay lip service to lots of things, such as IT security, but don't actually actively support them. As a result, nothing really gets done in those areas.
Show me a company that hires good IT folks, makes them feel valued, and supports them, and you will find a company with a rock solid IT infrastructure.
I prefer rogues to imbeciles because they sometimes take a rest.
I think the human treat you may be looking for is a flat rectangular green object that is easily folded and often found in banks. :P
At least, in my experiences it seems to motivate people pretty well.
I teach computer classes to seniors and other people who have (usually) never turned one on before. When I cover the security section, I try to use analogies to help them understand the threat level and some ways to avoid most of it.
For virus protection, I equate it to a body guard - If you're in a small town, or walking around downtown, you're fine, and the body guard probably won't even be needed. If something did come up, you'd be fine since it would probably be a mugger or a rabid dog, and the body guard would be able to take care of that. Now, if you start wandering around in a mine field, or in the middle of a battle (analogous to visiting warez sites or downloading and running a file someone you didn't know sent you, etc.) no amount of body guards will keep you from dying.
This has really helped impress in my student's minds that it's really still up to them to not do anything stupid, and their anti-virus can't always keep them safe - especially if they are doing something dangerous on purpose.
I'm not a bird, I'm a super-advanced flying stealth dinosaur!
How about "Napster Baaaaad"?
-- You are in a maze of little, twisty passages, all different... --
A reminder/warning that user should click on to make it go away?
How much time do you suppose would pass before:
a) users completely ignore it, madly clicking [ OK ] without even looking at the text?
b) it is spoofed and/or copied by malware sites, cartoon spy and all?
Answer should be calculated in minutes and seconds, but feel free to use larger time units like hours and days.
Mit der Dummheit kämpfen Götter selbst vergebens
So it just sort of happens all on its own?
Nerd rage is the funniest rage.
why not block access to anything non-approved?
More accurately, only allow specific site.
Yes some people will get around it, but most people capable enough to get around aren't high risk. How many people who know how to tunnel would also download smileys?
The Kruger Dunning explains most post on
Maybe create some internal XSS that resides on your corporate proxy server. So when someone runs (say) a Facebook app, your XSS runs some Javascript off of an internal server that does something moderately annoying like continual pop-ups. Then if they click on one of the popups, disable their external web access completely.
We are the 198 proof..
Bacon's cheaper and works just as well for most gentiles.
A bullet may have your name on it but splash damage is addressed "To whom it may concern."
Terry Tate, IT security Linebacker. "Woo-woo!"
Okay, I'll bite. Do facebook and myspace fall in the unsafe category, or are they just inappropriate? Obviously you don't want employees spending all their time at their desks screwing around with facebook, because you want them to be doing useful work. But if there's some actual security vulnerability that is opened up when a user simply goes to a web page with a certain flash or javascript app on it, then that sounds to me more like a problem with the browser you've chosen or the way you've chosen to configure it.
One of the thing that makes me tune out IT's messages at my workplace is that their pronouncements often don't demonstrate an appropriate sense of proportion. For example, they were trying to get a rule instituted that would make it a firing offense to do a variety of things with your computer -- one of which was plugging in a flash drive. (No, I don't work at the CIA. I work at a community college.) If you tell people that their computer can get a virus if they do any of a long list of things, then probably (a) they're not going to believe you, or (b) they're going to decide the list is so long that it's not practical to comply with it. It's like telling kids that beer, marijuana, and heroin are all in the same category. Once they find out you lied about marijuana, they'll just go ahead and try heroin as well.
Find free books.
If you need to map it visually try doing it by something they understand and feel could affect them. Most people these day's are using a lot of services. Most of these services allow the password to be changed and sent to the users email address. Generally people will use the same password for all services, meaning that any one of them is broken into, and all of them can be accessed. Usually the email address will also tell you a lot of the services if uncertain. Drawing this out in a logical way explains to users why they should use separate passwords for different services, and why they should use separate passwords for work and personal services. Taking this further you can explain that a lot of trojans can steal their password making access even easier for an attacker might make them feel they have something personal to lose. Explaining how their machine could be part of a botnet might not...
A normal brown-box Fedex-like package. When they open it, a balloon bursts and glitter goes everywhere.
Maybe they'll learn not to open random packages when it means maybe cleaning glitter for six days.
But I assume that a small bonus to an employee every month their machine /isn't/ compromised is perfectly legal, even in a country with sane labor laws? Or perhaps a free lunch?
Of course, this does cost some money, but you'd be surprised how even a small amount of money or food can motivate people to make tiny changes to their routine.
93rd rule of Slashdot: No matter how obvious my sarcasm is, my comment will be taken seriously by someone.
People respond to their actual incentives, not what you pretend the incentives are.
If people were held personally liable for damages caused by security breaches that they enabled, they would get smarter about security.
I'm not arguing that they should be held liable, just that it's going to be hard to make them care when they aren't.
This game will waste your life. Don't clicky!
Send some "test" links yourself. When you manage to break into the user's machine, e-mail the user his own confidential document, password, etc. Then tell him _how_ he exposed himself and that you _could_ have been the bad guy.
I learned how to use chmod properly this way a LONG time ago -- the teaching method was highly effective... :)
(You will, of course, get the careless users ticked off -- so make sure you have management approval for this. But seeing _proof_ of what _will_ happen will get the message across for good).
No sensible person or company puts those things in an email any more, anyway. If you need to go do something with your account at your bank, the email just says, "Please go to your account and check your status." Anything further is probably spam, mal-something, or straight-up clueless.
I've fallen off your lawn, and I can't get up.
It sounds like you want to send an email to all your co-workers with a link to something cool online. The cool link will then teach them not to click on links in emails containing suposedly cool things. Your delivery mechanism is exactly that which you wish your users to avoid. I'm starting to come around to the school of thought stating there will never be enough motivation for corporate users to learn this stuff, so it is futile to try.
My post was in reply to "lets let the users decide how much security they want" my point was that the users would probably opt for "none". A properly designed security policy will protect the assets and let Joe do his job.
Ya right, they just stopped reporting it. So your douchbag boss forced his employees to sign something or be fired, because you are sick of doing your job?
How about you just install anti spyware and anti virus software and be done with it. Its always worked for me, even if they click something evil it gets squashed immediately and everybody moves on with their life.
Too bad your expensive services don't include proper management of the computers you are paid to manage. Thats YOUR job dickweed. Not the users. If I was your boss and we had repeated infections, you'd be unemployed and your replacement would take care of the issue once and for all.
Anti-*** doesn't do crap except detect the old stuff that has been out forever. Sure it will reduce the number of malware items by 25-50% but that is hardly enough because even one item of malware can disable the anti-malware systems and let the rest in.
I agree with the idea that employees should not be docked pay.. as that is a bit harsh. Users DO need to be held accountable for their actions though. Just as an employee would be held accountable for a physical security breach (bringing that hobo to work) an employee should be held accountable for other types of security breaches, if they have had proper training. If a user is breaching business policy and ends up with an infected computer, then they should be reminded that the policy is there for a reason. How they are reminded depends on lots of factors such as the severity of the breach, past history of the user, degree of stupidity that it took to contract the virus, etc.
Educating employees on how to not get owned by viruses is far more important than setting up some anti-virus software and calling it good.
There is obviously lots of gray area in this topic but using only technical solutions to a problem that is not only technical is the wrong approach. You need to use managerial and technical solutions to properly manage the IT infrastructure.
1. "If someone can do something wrong, someone will."
There's no way to circumvent this. Ever. Period. You have to accept, that humans make errors. But it's ok if they learn from it.
The problem is:
2. "To get people to learn from something, they have to have an interest in it."
So if it does not hurt them, and does not give them a advantage, then why should they learn anything? Humans are all about efficiency. In fact all competing life-forms ever, are. In all of the universe.
So what do you do? You follow basic rules of creating a motivating gradient. By offering advantages for those who learn, and disadvantages for those who don't.
Here, remember, that positive gradients (relative to the person's state) are always better, than negative ones (like punishment).
So I recommend this: At the next raise of salaries, raise them a bit less. But offer the remaining part as a bonus for those who can prove their security-awareness.
The amount is pretty easy to choose: It's the amount that you'd lose (e.g. the money to recover from loss or destruction), multiplied by the factor of likeliness (e.g. one in a million = 0.000001), divided by the number of people in the company (optional, depending on your p.o.v.).
You could check their security-awareness, by testing them every year on a random day. Like a fire drill. But with a security drill. (Without announcing anything. Without any alarm going off.)
And by filling out a question form at the end of the day (one that takes a negligible amount of time, and is also there, to refresh the knowledge. One more reason to make it a random day [= better learning])
You can bet your mother on the fact that they will be much better at caring for security! ^^
Only remember, to make all those drills, bonuses and tests proportional to the actual real amount of damage. Don't be surprised, if it then will be less than you thought.
Any sufficiently advanced intelligence is indistinguishable from stupidity.
A while back a slashdot comment had a link to security cartoon. The cartoons are cute and pretty thorough, though the may be a bit simple and are somewhat outdated. It's visual and pretty straightforward.
open source modern art: laser taggi
You did manage to save them a bunch of money, though. Now that your users aren't fucking up their machines any more, there's little reason to keep paying you to do nothing. Cost of your services, and all that.
It's rare that you're presented with a knob whose only two positions are Make History and Flee Your Glorious Destiny.
Call a meeting. Get an old box running the company standard stuff. Tell them its no different from their box and that if it were connected to the company network it could infect everyone EVEN THEIR BOSS. Then DISCONNECT IT FROM ANY NETWORK ACCESS. And infect it with a virus that torches the drive. Not many people have actually seen a virus turn a perfectly good machine into a basket case.
Every rule has more than one consequence.
Usually, when something "bad" happens, you get to see the result. You lose your wallet, you can't pay next time you have to. Someone breaks into your house, everything's turned upside down. With malware, there just ain't anything to see.
To make things worse, people have been told by Hollywood that there is something to see. Computer screens "melting" or outright explosions (those dreaded 220kV lines in those flatscreens ... you know...), or at least some nifty CGI (honestly, every time someone searches fingerprints on CSI .... I'd have broken the programmer's fingers if he really showed a ton of "wrong" fingerprints while searching and wasting a lot of time for pointless eye candy... but I ramble). But there just is nothing to see. Why? Because that's the whole point of infecting someone: To have a spy in his computer without the person knowing it. You double click the infector and you don't see anything. Maybe, if you're using a slow maching, you get the "busy" mouse icon for a split second.
My solution usually is to show them what happens behind the scenes. First of all, it's interesting because it's kinda-sorta-maybe illegal, since you're doing what the bad boys are doing (with the difference that you're not really infecting anything but your own presentation machines). And they get to see what they usually don't get to see. It's not even a problem that it's way over their head because nmap output looks impressive, even if you don't get a thing. But even a monitoring proxy output is usually enough (you just have to point to the information that you want to stress). Set up Alice, Bob and Dave and give them a show of "what if you're infected".
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
"Accidental" is one thing "deliberate" is another.
I've got two 'tarded users who get their systems hosed with malware several times a year. It doesn't matter how many times I explain that they should NEVER click on a link that says they have to update their video player to view shocking security camera footage of themselves or a video of a monkey throwing poo at zoo visitors. Last time, I dumbed it down to, "Stop clicking on stupid shit!" Maybe that will work. Meanwhile, I'm going to work on getting a legacy app to work in a restricted environment. Failing that, I'll have to consider buying a net-nanny program for them. But it pisses me off that I have to spend my time figuring out how to keep these two chuckleheads from doing stupid shit.
It's the equivalent of giving someone a company car and having them repeatedly run it into a brick wall. The first time might have been an honest accident. Second time...well, shit happens. After that, no more excuses. I don't think any employer would hesitate to make an employee pay for the damage caused by their third run-in with a brick wall.
Send out a fake spam email. Anyone who clicks on the link gets a security warning letter and a "You are subject to termination for clicking on the link in an email. Contact HR immediately"
I'd go on a Vegan diet but the delivery time from Vega is too long. --brownkitty
Have you posted this over at mozilla.com?
Bug 267888.
That works, until the user is a bigger jerk than you are. I worked for a fairly senior enlisted man who was pretty bad about computer security. He related to me a story about how some system he needed to use generated a password for him, but it was totally random and he couldn't remember it.
There was no option, whatsoever, to generate any kind of "friendly" password or to make it memorable. So his solution was to call the help desk and to insist upon getting a password he could remember. The female tech started out, much as you suggest, by explaining that there was no way she would do that. He responded with 30-odd years of experience in yelling at people, which brought her to tears, and she wound up resetting the password until she got one he could remember.
The guy's pretty sharp about most things; he did a lot to straighten up record-keeping which definitely improved our operations, and probably did a lot to improve security overall. But he's that deadly combination of lousy at managing passwords and extremely effective at getting his way. So any plan that is "yell at people" has to account for the fact that the most critical individuals are liable to yell back.
That was two years ago. Have not had a SINGLE instance of any malware on any machine, since that time
That they've told you about.
FTC has site on Phishing that may help. We have been getting the Outlook update link in an fake email here for a while, have had to send many reminders that we will not send links to people for updates on their computer since we manage patches and updates automatically. http://www.ftc.gov/bcp/menus/consumer/tech/privacy.shtm
Because then they won't report problems and you'll have a bunch of infected computers leaking data you don't know about, or worse they won't tell you about things that aren't operator error and you won't know when something major isn't working.
Have you bothered to check anyway? Since your users defiantly won't report anything that goes wrong now. I bet they're doing all kind of stupid shit, then having their neighbor's 13 year old fix it.
You idiot proof problem user's computers. If you're using Active Directory reduce their privileges, if you're not, give them only limited accounts - only you will have the admin password to their computers (if that isn't already the case) then Install firefox, adblock plus with malware filters and high security settings, and disable IE. If you need IE for certain websites, whitelist those sites, then don't allow any cookies, scripting, or anything else from internet zone in IE. User's can't click stupid executables if they don't have permission to run executable files. If none of that works give them a computer with Linux on it, but only you have the root password; show them how to use thunderbird, firefox, and openoffice, and only other things they need for work.