Slashdot Mirror
Impressing Security Upon End-Users Visually?
get quad writes "I continually have to remind our end-users to be vigilant about the usual web security hazards, such as not clicking links in the occasional spam email that passes through our filters, avoiding suspicious websites, why some websites aren't entirely safe or appropriate for the work environment (Facebook apps, MySpace, remote access apps, proxies, etc), and the myriad other things an end-user can do to get into trouble. What I'm hoping to find are video or flash examples (mind you, in layman's terms) of what Web-based exploits/zero-day threats are capable of, how they can happen, and the harm they can ultimately cause — rather than posting links to technical docs the users will never bother to read. Getting the point across in a purely visual and less technical manner seems much more effective. Does anyone have any suggestions or experience with this type of training?"
Make a video where the user clicks "Run File" in Internet Explorer and then the building explodes.
...about computer security? Those work so well.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
I was spending some time with some friends of mine a few months back when the inevitable malware conversation came up. These friends happened to all be quite computer illiterate. What I did instead of giving the usual spiel about malware was show them a better experience.
I sat them down and showed them how to use firefox with noscript. I showed them their favorite sites without all the baggage and they were amazed at the improved experience. I made sure I showed them how to use noscript with sites like facebook and still get what they wanted.
All of this was done in less than 15 minutes, and they now use this combination on a daily basis, not because of the improved security, but because of the improved experience. The fact that their security is improved is entirely incidental.
Note to firefox dev's, improve your enterprise management tools so that I can justify rolling out firefox to the enterprise after proving to management that it can be managed at the enterprise level. Enterprises need ways to consistently enforce policies with firefox using AD! Until this can be done firefox will never take over Internet Explorer in the Enterprise.
Why cant users choose their own level of security - idiots be dammed. But I bet you find a whole bunch of people wise-up really fast. :P
You could try it but I doubt it will make your life easier. Most users don't understand and don't care and will expect you to fix their mistakes over and over again. Most of them have some kind of twisted pride in their ignorance.
There was research done on office staff by flashing up random warning messages on their screens, most users ignored the messages no matter what they said, clicked anything to get rid of the message, and immediately forgot there was even a message.
here is a great video that shows how to detect a phishing scam using examples http://www.youtube.com/watch?v=bzfPUmQcfDs
Symantec Security Response has an excellent video about Backdoor.Ghostnet on their youtube channel.
I think the message here is that if you don't practice safe computing, the tools exist that empower just about anyone to pwn you
Just show them this:
http://www.youtube.com/watch?v=1SNxaJlicEU
Copyright 2010. All rights reserved. This comment may not be copied in any way including, but not limited to caching.
I did find this:
http://arstechnica.com/security/news/2008/09/study-confirms-users-are-idiots.ars
I'm not sure if it's the study I was thinking of though.
http://www.scientificamerican.com/article.cfm?id=how-to-foil-phishing-scams
This is a good start and I'd recommend investigating the author's other published material.
Then, if you work in a company, said stupid people will undermine you. They'll make sure mgt knows you're insulting and unprofessional. Anything breaks, they'll let their bosses know that you were the one who "fixed" it and that your fixes don't work.
Treat people like children and they will usually act like children.
It's NOT me! It's the meds! I'm on 1000mg of Fukitol.
http://cisr.nps.edu/cyberciege/ is a video game designed to teach computer security concepts. In addition to its more advanced scenarios, it includes a few simple "awareness" scenarios, the first of which directly addresses your topic. Further, this animated movie: http://cisr.nps.edu/cyberciege/movies/02CIEGE.html helps the layman understand why the problem of malicious software is so hard to solve. The link includes a free evaluation version of the game.
Redtail
I figured that most people would treat videos on computer security like the videos that teachers would show at school. Their reaction?
"NO WORK!!!"
I think that what's most effective is just enforcing your security policies using Group Policy or other management tools on the network. That way, you KNOW that most people won't violate any policies set forth, and those that do are the ones that didn't need the training in the first place.
If you're really adamant about educating your employees with videos and such, find REALLY GOOD videos that will hold their attention for their entire run. Remember, at the end of the day, those computers don't belong to them and most of them simply wish to get work done. Any teaching method which can exploit these two truths for educational value is probably worth watching.
My company's solution is to lock down the systems so tightly as to turn network systems into standalone systems.
Yes, they do, on a mass scale. When applied "properly" to things like smut, terrorism, gay marriage, etc, the "Reefer Madness" tactic works very well. In fact it's still working on the drug situation also. Otherwise prohibition would have been abolished a long time ago. Do not underestimate the power of "madness".
For justice, we must go to Don Corleone
That will be a great story to tell all those people you meet at the unemployment office, there, tough guy.
Brett
So why should they go to the inconvenience of not clicking on links that they want to, or not visiting any website that takes their fancy? By appealing to their "professionalism" or "humanity" or "team spirit" you're probably on a loser. While these might get them gee-d up for a short time, you can bet that unless there's some personal pain involved in doing it, they'll be back to their old habits in a few weeks time.
Once you can put security in terms a normal user will understand: i.e. If you click on a bad website, these bad things will happen TO YOU, they'll pay attention. Until then you haven't got a chance.
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
Nobody learns to avoid fire by being told. You have to get near and feel the heat to know you better not do it. So my advice is: make traps. Send them emails signed by other coworker asking for their password. Send them executable files that block their computer and flash a sign telling them that all their files are being erased, just because they executed a file from a unknown origin. All kind of traps, with nasty consequences if possible, you don't want them to click into everything because it can be another amusing idea of you. You want them scared of your ideas so that they look askance to every email or web page to see if it could be a trap. As they might be, so that's the right attitude.
Rome taught me patience and assiduous application to detail. Virtues which temper the boldness of great, general views.
As funny as I found your comment, as a serious note it's a bit too simplistic.
Ultimately the one weak link in security that is always present is the user. So you have to either hamper the user, and progressively cripple his ability to use the computer or you have to educate him of who to trust and who not to.
Any power you give the user is a power he can ultimately be tricked into misusing.
Mod points: Guaranteed to remove your sense of humor.
Side effects may include gullibility and temporary retardation
This actually worked at the small enterprise where I take care of things. A user managed to get their machine mucked up with a bunch of spyware and adware by clicking in a forwarded email. I cleaned the machine and then management called a meeting a day or two later. Had every one of the employees in attendance. I gave the standard presentation about email safety, as well as general internet safety. I sat down. The director stood up and informed everyone in the room that the next time a machine needed to be cleaned as a result of operator error, the bill for my services (not cheap) would be deducted from the relevant employee's next paycheck. A sheet of paper was then passed around, with the same directive written on it, and all employees were instructed to either sign or lose their job. They all signed.
That was two years ago. Have not had a SINGLE instance of any malware on any machine, since that time. People now ask me every time they have any doubts about what they're doing, and I've headed off a few potential catastrophes since that started happening.
I'm guessing it's not a coincidence.
Is it fascism yet?
Deny internet access to repeat offenders. They soon get the message that way.
Hi, I'm Troy McClure. You may remember me from such IT security videos as "Microsoft Explorer: Ubiquitous but Unsecure" or "Passwords: The Road to Ruin".
Just because you are paranoid does not mean that no-one is out to get you.
I can second that. I tried the opposite and for some reason it worked, below is a link to my own "I clicked on an email link" type virus scenario.
(Apologies for the shameless blog punt...)
http://blog.g33q.co.za/2009/07/16/why-no-operating-system-is-safe-not-one/
Since then I have done the opposite of being the bofh.
One of the girls who work there was one of the main culprits in spreading the virus around by sending the mail to EVERYONE and copying files from every darn flashdrive she can get her hands on.
So I started joking with her regarding her having the most viruses on her computer, and since they are in an open plan office I did not need to work very hard to make that apparent. Also her Outlook broke, refused to run in anything but safe mode.
I refused to fix it. I just looked at it, fooled around with it a bit and loudly proclamed "Heck it must've broken because of that virus you had!"
Since that day there has been the odd virus mail (the greeting card type ones are very popular...) there have not been a major breakout of viruses. Usually they still begin with that girl - she just don't listen about security and so on - but as soon as anyone gets NOD complaining about a virus the attitude is to get in contact with me immediately, and to not forward each other funny mails.
Heck they even refuse funnies from this girl and her flashdrive is not allowed on anyones computer - not via management directive, but because the users themselves don't want her flashdrive.
I have caused her to be a bit of a computer leper, and for that reason there has been exactly two virus scares...
Seven Days with Ubuntu Unity
Sunbelt Security had a video posted of what occurs when you got hit by the old WMF bug awhile back. You could see software being installed, icons appearing on the desktop, and the desktop background being modified as this thing went to town and began popping fake AV warnings. It was one of THE most extreme and informative examples I can think of for this.
Here's a copy of it I found on Youtube. A search for "WMF exploit" on YouTube will get you plenty of hits :-)
http://www.youtube.com/watch?v=WTBcDJ9kJH4
IMO, I think this answers your question!
Build it, Drive it, Improve it! Hybridz.org
Huh. Where I happen to live in soviet Canuckistan, both having your wages deducted for accidental damages caused on the job AND being forced to sign something under the threat of losing your job are both illegal.
Something vaguely similar happened at where I work. Weekend attendance had been optional for a very very long time, but management felt that too many people were just taking every weekend off because, well, people like their weekends. Anyways, to try and boost attendance they tried to make everyone sign an agreement basically saying that everyone had to work every single weekend unless excused, and excuses had to be given up to three weeks in advance... and this was all under a threat of "or else". A few of the sheeple signed right away for fear of losing their jobs. When it got round to me, I just laughed and threw the paper in the garbage. My boss tried to give me shit (this was infront of a dozen co-workers, so he had to make a stand) but I interrupted him to inform him that he could not unilaterally renegotiate my job description or fire me if I didn't agree to it, and if he ever tried to push me (or any of us) around like that again, that the provincial labour board would come down on the place like a ten thousand pound bag of shit for it and all the other little skeletons-in-the-closet that I knew about. The next day their little piece of paper disappeared without a trace.
YMMV.
But I assume that a small bonus to an employee every month their machine /isn't/ compromised is perfectly legal, even in a country with sane labor laws? Or perhaps a free lunch?
Of course, this does cost some money, but you'd be surprised how even a small amount of money or food can motivate people to make tiny changes to their routine.
93rd rule of Slashdot: No matter how obvious my sarcasm is, my comment will be taken seriously by someone.
Anti-*** doesn't do crap except detect the old stuff that has been out forever. Sure it will reduce the number of malware items by 25-50% but that is hardly enough because even one item of malware can disable the anti-malware systems and let the rest in.
I agree with the idea that employees should not be docked pay.. as that is a bit harsh. Users DO need to be held accountable for their actions though. Just as an employee would be held accountable for a physical security breach (bringing that hobo to work) an employee should be held accountable for other types of security breaches, if they have had proper training. If a user is breaching business policy and ends up with an infected computer, then they should be reminded that the policy is there for a reason. How they are reminded depends on lots of factors such as the severity of the breach, past history of the user, degree of stupidity that it took to contract the virus, etc.
Educating employees on how to not get owned by viruses is far more important than setting up some anti-virus software and calling it good.
There is obviously lots of gray area in this topic but using only technical solutions to a problem that is not only technical is the wrong approach. You need to use managerial and technical solutions to properly manage the IT infrastructure.
1. "If someone can do something wrong, someone will."
There's no way to circumvent this. Ever. Period. You have to accept, that humans make errors. But it's ok if they learn from it.
The problem is:
2. "To get people to learn from something, they have to have an interest in it."
So if it does not hurt them, and does not give them a advantage, then why should they learn anything? Humans are all about efficiency. In fact all competing life-forms ever, are. In all of the universe.
So what do you do? You follow basic rules of creating a motivating gradient. By offering advantages for those who learn, and disadvantages for those who don't.
Here, remember, that positive gradients (relative to the person's state) are always better, than negative ones (like punishment).
So I recommend this: At the next raise of salaries, raise them a bit less. But offer the remaining part as a bonus for those who can prove their security-awareness.
The amount is pretty easy to choose: It's the amount that you'd lose (e.g. the money to recover from loss or destruction), multiplied by the factor of likeliness (e.g. one in a million = 0.000001), divided by the number of people in the company (optional, depending on your p.o.v.).
You could check their security-awareness, by testing them every year on a random day. Like a fire drill. But with a security drill. (Without announcing anything. Without any alarm going off.)
And by filling out a question form at the end of the day (one that takes a negligible amount of time, and is also there, to refresh the knowledge. One more reason to make it a random day [= better learning])
You can bet your mother on the fact that they will be much better at caring for security! ^^
Only remember, to make all those drills, bonuses and tests proportional to the actual real amount of damage. Don't be surprised, if it then will be less than you thought.
Any sufficiently advanced intelligence is indistinguishable from stupidity.