Slashdot Mirror

← Back to Stories (view on slashdot.org)

Schneier: Security Awareness Training 'a Waste of Time'

Posted by Soulskill on from the only-trust-users-to-be-users dept.

An anonymous reader writes "Security guru Bruce Schneier contends that money spent on user awareness training could be better spent and that the real failings lie in security design. 'The whole concept of security awareness training demonstrates how the computer industry has failed. We should be designing systems that won't let users choose lousy passwords and don't care what links a user clicks on,' Schneier writes in a blog post on Dark Reading. He says organizations should invest in security training for developers. He goes on, '... computer security is an abstract benefit that gets in the way of enjoying the Internet. Good practices might protect me from a theoretical attack at some time in the future, but they’re a bother right now, and I have more fun things to think about. This is the same trick Facebook uses to get people to give away their privacy. No one reads through new privacy policies; it's much easier to just click "OK" and start chatting with your friends. In short: Security is never salient.'"

52 of 284 comments (clear)

  1. Obligatory car analogy by qbast · · Score: 5, Insightful

    It demonstrates that car industry has failed. We should be designing systems that don't need seatbelts and don't care if user decides to slam into a tree at 100km/h. Whole concept of secure driving is just an abstract benefit that gets in the way of enjoying driving.

    1. Re:Obligatory car analogy by mwvdlee · · Score: 5, Insightful

      To stay closer to the original analogy...

      Would you drive a car randomly left by the side of the road with big stickers on it saying "You may be eligable to win $1mln if you drive this car!!! (paid for by Soilent Green Corp.".

      --
      Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
    2. Re:Obligatory car analogy by DMUTPeregrine · · Score: 5, Insightful

      No, he's saying that we should be adding seat belts and anti-lock breaks and eventually self-driving cars to eliminate the need for the user to focus on safety in driving. He's arguing that the safety should be built into the system, and not rely on the judgement of the user. That's the exact opposite of your example.

      --
      Not a sentence!
    3. Re:Obligatory car analogy by Anonymous Coward · · Score: 4, Insightful

      Driving a car is a far more focused task, with more salient dangers. Even without safety training people understand that driving erratically, or at high speeds can be dangerous. Using a computer or the internet is more like watching TV or reading an article and determining if what you're watching is fact or fiction; it requires judgement and motivation.

      Given that many adults don't have these skills and importantly that the effects of failure extend beyond the individual involved what Schneier is proposing makes sense.
       

    4. Re:Obligatory car analogy by jewens · · Score: 3, Insightful

      The training itself may be inexpensive, but the lost time for "all" employees forced to take the course/class/lecture is not. Not to mention the burden on your staff in tracking attendance compliance etc.

      --
      That group of bovine standing over there appears quite portentous. That's right it's an ominous cow herd.
    5. Re:Obligatory car analogy by philip.paradis · · Score: 5, Insightful

      Bruce is right. In many environments, information awareness training is an attempt to solve the problem at entirely the wrong end of the failure chain, and is frequently ineffective. It may be difficult to hear for some, but the fact is that such training simply doesn't have a great track record of producing significant overall gains in organizational security, largely owing to the difficulty of mitigating widespread stupidity on the part of human operators. Most companies are not wholly staffed by information security experts, and any perceived near term security gains following training sessions quickly erode as employees revert back to an attitude of "I just want to do X, Y, and Z, and I'm too busy to keep thinking about those scary stories portrayed in last week's training."

      Even military environments suffer from these training challenges. The difference in a military unit is the very real possibility of going to prison for merely mishandling cryptographic material on accident. On the "low" end of the punishment scale, there's more than a few senior enlisted military comms folks out of a job because of such process failures. I served with one such person.

      It's worth noting in closing that you might want to spend a bit of time looking into who Bruce Schneier is before framing him in any additional snarky quote marks. To say this is a man who typically knows what he's talking about is an understatement.

      --
      Write failed: Broken pipe
    6. Re:Obligatory car analogy by mcgrew · · Score: 4, Funny

      What's so fun about driving? That's like saying a Roomba takes the fun out of sweeping the floor.

      --
      Free Martian Whores!
    7. Re:Obligatory car analogy by dinfinity · · Score: 4, Interesting

      No. TFS is a terrible representation of TFA.

      This is a more fitting excerpt:

      The whole concept of security awareness training demonstrates how the computer industry has failed. We should be designing systems that won't let users choose lousy passwords and don't care what links a user clicks on. We should be designing systems that conform to their folk beliefs of security, rather than forcing them to learn new ones.

      Even though TFA is pretty crappy itself with its myriad of bad analogies, the idea of trying to craft effective simplified 'folksy' models makes sense. My favourite metaphor for internet security is regarding the internet as a square in a foreign city center. It gets the message of what to trust and what not across a lot better than trying to explain Javascript, cross-site scripting, or what an executable is.

      In addition to this approach to raising security awareness, a case is (sort of) made for designing systems to support users in security related decisions in a way consistent with the above. I'd say that a green colored address bar in a browser is an example of how to do it the right way and the blanket statement 'this file may harm your computer' one of how to do it the wrong way.

    8. Re:Obligatory car analogy by LaggedOnUser · · Score: 2

      Have you forgotten about air bags? They are there precisely so that you don't have to remember to use your seat belt...

    9. Re:Obligatory car analogy by Sique · · Score: 2

      But Pontiac was an Ottawa chief and not an Aztec.

      --
      .sig: Sique *sigh*
    10. Re:Obligatory car analogy by hairyfeet · · Score: 5, Interesting

      Sorry, been in PC retail for nearly 25 years and I can tell you training the grunts? NEVER works. Now training the IT staff? Sure send 'em to blackhat, pay for security classes, those ARE good investments that will see return, but Sally the secretary, that sees the PC as a magic black box that lets her do her work? Sorry but its gonna go in one ear and out the other.

      It would be like trying to teach me how to rebuild cars, i don't like cars, never cared about what model I drove, I just don't give a damn as long as it gets me from A to B and THAT is how many of your employees see the PC. They don't want to know about the thing, couldn't care less what its doing as long as they can get their work done and punch out, they have not the slightest interest in PCs which if you don't have any desire to really learn? Not gonna stick.

      So i have to agree that paying to train the regular staff is just a waste of time and energy. Much better to make sure you have well trained IT staff that can minimize the risk that your end users will have because frankly you are just wasting your breath when you try to teach somebody who doesn't care about PCs how to securely use one.

      --
      ACs don't waste your time replying, your posts are never seen by me.
    11. Re:Obligatory car analogy by JustOK · · Score: 2

      Only if the blinkers were on.

      --
      rewriting history since 2109
    12. Re:Obligatory car analogy by PopeRatzo · · Score: 3, Insightful

      Employee awareness training is inexpensive and I bet "Security guru Bruce Schneier" will provide training to your developers that is not inexpensive.

      Training only goes so far. Even the best-trained user will make a mistake.

      "Oh, I didn't mean to click that".

      --
      You are welcome on my lawn.
    13. Re:Obligatory car analogy by Idarubicin · · Score: 5, Insightful
      You really, really, really don't know who Bruce Schneier is, do you?

      Moreover, you really couldn't even be bothered to do a simple Google search before you shot your mouth off, could you?

      In a way, you're actually making Schneier's point. Posting a snarky Slashdot comment is easy and instantly gratifying; doing the least bit of research is a little bit harder and doesn't pay off immediately -- so you can see which happens more often.

      --
      ~Idarubicin
    14. Re:Obligatory car analogy by philip.paradis · · Score: 4, Insightful

      This isn't merely a problem of specialization limiting perception. You're expecting average users to consistently conduct themselves in a manner they're demonstrably incapable of, at least the majority of them. Terminating the employment of those who fall victim to attacks through their own inaction or outright carelessness isn't a long term solution either, as it merely results in churn and a significantly higher bar in terms of what sort of person may be employed at a company. Money is limited, and organizations have to make decisions on the most effective ways to spend that capital with an aim to improving overall organizational security. That money is best spent on incrementally improved and frequently reevaluated security infrastructure and processes that inhibit improper access or information disclosure without overt reliance on human operators to make correct choices in terms of security posture, because those operators will often fail.

      I've spent years dealing with problems in this area, and I strongly dislike the reality of the situation. Unfortunately, my disliking it doesn't make it less true.

      --
      Write failed: Broken pipe
    15. Re:Obligatory car analogy by Idarubicin · · Score: 3, Insightful

      It demonstrates that car industry has failed.

      I would say that the car industry had failed if listening to the wrong radio station - tuning 92.3 instead of 92.5, say - allowed a malicious broadcaster to arbitrarily incinerate the contents of my trunk or assume remote control of my vehicle.

      --
      ~Idarubicin
    16. Re:Obligatory car analogy by delt0r · · Score: 2

      Don't worry, these things will be fixed with driverless cars.

      --
      If information wants to be free, why does my internet connection cost so much?
    17. Re:Obligatory car analogy by dywolf · · Score: 2

      anyone who knows anything abuot computers and has ever been forced to take the DOD IA Awareness Training online course thing (its shockwave flash!! *shudder*) knows just what a joke and waste of time it is.

      --
      The guy who said the election was rigged won the presidency with the second-most votes.
    18. Re:Obligatory car analogy by JDG1980 · · Score: 4, Insightful

      And, compared to the cost of cleaning up an incident, it's STILL infinitesimally small.

      All it takes is one single employee to ignore or disregard the training, and you'll still be paying that cleanup cost. That's Bruce Schneider's point: it's a structural problem, not one that can be fixed by placing more burdens on end users.

    19. Re:Obligatory car analogy by xenobyte · · Score: 2

      Training only goes so far. Even the best-trained user will make a mistake.

      "Oh, I didn't mean to click that".

      It will happen - but doesn't have to. There are three factors at play here: The training, the setup and the users themselves. The right kind of user doesn't need training as such, just some basic on a piece of paper (or similar electronic analogy).

      I will use myself as an example.

      I have been in IT since before the first virus or worm. I have been exchanging emails for several decades. I've pirated PC-games and downloaded cracks and keygens. I've used (among others) Windows since version 3.11 daily. I websurf for several hours each day, often venturing deep into black hat territory, but I have never ever been infected with anything. A good firewall, proper updated anti-virus and consistent patching, a real browser (= not MSIE) plus obligatory use of NoScript and AdBlock, have kept my machines clean over the years. It's really not that hard.

      I'd venture out to say that some users are just too naive or dumb to be allowed on the Internet. I've seen countless of installations where dozens of toolbars take up 90% of the available browser-space and yet the user still installs more when some stupid ad or 'free'ware program offers it. The user simply believes everything on the screen and think every offer is a gift. Such users are completely impossible to train, no matter what. And they are abundant out there.

      Most users are not quite that stupid; most have some common sense (which isn't exactly common) but will still fall for some tricks. These users cannot be trained either but should be restricted in what they can do. Trojans that open a reverse shell or similar are very common and they rely on these users to be tricked into installing the trojan. These users often sit behind firewalls that usually will protect them against connections from the outside, but not from other machines on the local network and not against evil stuff on their machines connecting outwards. So one wrong click and the hacker owns the LAN and soon all the machines on it.

      So picking the right kind of people and having a secure setup will go a long way. And this kind of users rarely need long expensive training; they just need to be informed and then they'll do the right thing. Even if they do make a mistake it won't matter much - maybe a workstation needs re-installing at worst, and that can be a simple thing, provided the setup is right and proper backups exists.

      --
      "For every complex problem, there is a solution that is simple, neat, and wrong." -- H.L. Mencken (1880-1956) --
    20. Re:Obligatory car analogy by Opportunist · · Score: 5, Insightful

      Lazy bums aside, employees are most concerned with getting their work done. Security is usually one of the things that gets in the way of this. I'm often appalled by the way quite a few companies handle security (I tend to see more than my fair share being a security consultant), it often seems they have some CISO who needs to build a monument for himself, showing off how much he works by making sure EVERYONE knows about it by the sheer number of hoops that they have to jump through. That's how you get amazingly stupid setups for passwords like "at least 12 characters, no 3 characters of the alphabet in consecutive order, at least 2 numbers not at start or end and not next to each other with at least 2 special characters ....yaddayadda".

      If you see anything like this, start flipping keyboards and count the ones that contain post-it notes with the passwords du jour (because of course they need to change every other nanosecond, too).

      This has nothing to do with security, people, this is what I dubbed "Monkey Island Security". You remember Monkey Island? Where Guybrush gets jailed by those cannibals and they start putting up more and more elaborate doors every time you escape through the wall? That's what some do in IT security, we get more and more elaborate and time consuming hoops our employees get to jump through while those that want to bypass security can easily ignore that because the problem lies elsewhere.

      NO, and I mean ZERO, security breeches that I have been aware of in the last two decades can be traced to password guessing. It is amazing, though, how more and more breeches that can be blamed on personnel blunders can eventually be traced to them trying to cope (yes, cope) with security. Post-its containing passwords. Security measures unhinged or bypassed by employees because it actually kept them from doing their work. And so on, so forth.

      Security does NOT mean annoying your employees. Perfect security would actually be nearly invisible to your employees. Because that would also include them not being part of the security system, hence, not being able to fuck it up!

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    21. Re:Obligatory car analogy by Opportunist · · Score: 2

      When I was responsible for application development security a while ago, one of the first things I made sure of was that our users knew that I would not be pissed at them but HAPPY if they manage to fuck the system up somehow. Because they should not be able to, them being able to fuck it up accidentally meant that someone could fuck it up deliberately at least as easily.

      Never blame the user for fucking something up. It is not his job to use your tool correctly, it is your job to create a tool he cannot use incorrectly.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    22. Re:Obligatory car analogy by jewens · · Score: 2
      That's a great idea for an app. Got a few wrinkles in your suit and have that big meeting in 15 minutes. Just download the iRon app to your phone, max out your processor for a few minutes and get to it.

      PS: Sorry, I know your original idea was for an Android, but the "iRon" joke works better on Apple. Maybe someone in the FOSS community can whip up an open source version for you.

      --
      That group of bovine standing over there appears quite portentous. That's right it's an ominous cow herd.
  2. Well, duh.. by Anonymous Coward · · Score: 2, Insightful

    Users can screw up because they are just as human as you. So live with it. Design around it. Make it safe regardless.

    I've only been saying that since, mwah, 1999 or so.

    Policies are OK, but rules that assume perfect compliance to work are really only there to cloak the failure of engineering in some fault tolerance in system architecture and user UI design. Glad someone finally caught on..

    1. Re:Well, duh.. by ATMAvatar · · Score: 4, Insightful

      They don't intentionally do so, sure. However, most software designers are not trained to develop secure software, are not paid to develop secure software, and in fact, would probably get a heated talking-to by management if they spent the extra time to make their software secure without explicit instructions to do so.

      --
      "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety."
  3. Obligatory quote by Krneki · · Score: 4, Insightful

    A common mistake that people make when trying to design something completely foolproof was to underestimate the ingenuity of complete fools.

    --
    Love many, trust a few, do harm to none.
    1. Re:Obligatory quote by gblackwo · · Score: 2

      -Douglas Adams (And I do not believe the original quote was past tense)

    2. Re:Obligatory quote by mianne · · Score: 2

      Yes, but many corporate networks *still* require a user to enter a password containing alpha, numeral, and special characters, and have the passwords expire after 2-3 months. Eventually, the users get the beat down by the boss or IT about writing it on a post-it stuck on their monitor. IT therefore has successfully trained most users to write down passwords in a notebook or a desk calendar. Indeed! The users have grokked the corporate mantra toward information security: Security through Obscurity.

      --
      Javascript, cookies, flash, and ActiveX must be enabled in order to view this sig.
  4. Invalid comparison by Aethedor · · Score: 5, Insightful

    He's comparing security with health and driving to 'prove his point'. Security is not the same as health or driving. So, any conclusion from making a comparison is a false one.

    Second, you don't have to choose between completely ignoring security awareness training and spending lots and lots of money and time in it. There is a very good choice somewhere in between. I agree with him that the information systems have to be secure and shouldn't offer dangerous actions but no matter how secure you make your information system, it will all fail if the user has no clue about what he or she is doing. And giving empolyees a basis level of security awareness doesn't have to cost a lot of money but will still help you prevent a lot of trouble.

    --
    It doesn't have to be like this. All we need to do is make sure we keep talking.
  5. I totally agree with Bruce here by tlambert · · Score: 2

    I totally agree with Bruce here

    We should be designing systems that won't let users choose lousy passwords

    It reduces the search space I have to look at in order to brute force things, and that's a good thing...

    1. Re:I totally agree with Bruce here by iapetus · · Score: 3, Insightful

      Sorry, but your approach is inefficient. Since the system now requires users to choose passwords that aren't memorable (and probably to change them regularly as well) a large number of them will have them written down on post-it notes stuck to their monitors. That reduces the search space even more. :D

      --
      ++ Say to Elrond "Hello.".
      Elrond says "No.". Elrond gives you some lunch.
    2. Re:I totally agree with Bruce here by Loki_666 · · Score: 4, Insightful

      Damn my lack of mod points today. +1

      Force users to chose complex passwords they write them down or learn what the minimum requirement is and create something stupidly simple anyway. Or they constantly forget their complex passwords and are bugging the admins to reset their passwords every 5 mins. Final variant is they use the same complex password for all systems. So, its fairly secure from brute force or random guessing, but once a hacker has one password, he has them all... one password to rule them all etc.

      I've used systems with ridiculous requirements where i've not been able to remember 1 hour later what the hell i used. Something like requiring at least one capital, one number, one punctuation mark, no more than 2 consecutive characters, and no less than 12 characters. I ended up with something like this: Aabbaabbaabb1!

    3. Re:I totally agree with Bruce here by delt0r · · Score: 3, Insightful

      And for many people this is more secure. Instead of any script kiddie with a laptop breaking into your email account from anywhere in the world. They have to break into your office first. For 99.99% of us this is not a credible threat.

      --
      If information wants to be free, why does my internet connection cost so much?
    4. Re:I totally agree with Bruce here by CCarrot · · Score: 2

      This is typically sufficient.

      Create a random, nonsense but memorable phrase composed of *gasp* dictionary words, pepper a couple of punctuation marks if you like (is a space considered punctuation for password verification? IDK) and vary the capitalization if that's one of the requirements for password verification. e.g., "correct, horse...battery staPLE!" I'm sure as you read that, the associated verbal emphasis is resounding in your cranium, making it easy to remember where the punctuation and capitals go, while making it very difficult for an attacker to brute force even with a dictionary attack.

      Trouble is, there are too many crap password verification systems that either don't allow spaces, or don't allow passwords longer than, say, 12 characters. If you are artificially restricted to such a ridiculous degree, then it becomes incredibly hard to fashion a password that is both easy to remember, but hard for others to guess. In that case I will keep in mind your method, it may come in handy, thanks!

      --
      "I love animals! Some are cute, others are tasty, what's not to like?" - Betsy Schroeder, Jeopardy contestant
  6. Tick the box exercise for auditors by Anonymous Coward · · Score: 5, Insightful

    Security Awareness training is a tick the box exercise most companies do to get auditors off their back.

    Apparently, users are supposed to be "trained to recognise phishing emails and other Internet frauds". IT has enough trouble these days trying to recognise them, and somehow our ordinary users are supposed to recognise them too?

    Users have to be "trained to pick good passwords". This should be system designed to prevent users from picking bad passwords in the first place.

    Users should be advised to "pick strong passwords and change them regularly". Two contradictory statements, no-one can remember a new complex password that changes regularly unless they write it down. Oh, users should be told "not to write down passwords".

    Awareness training is pushed because there are a number of so-called "security consultants" who have no real technical skills, yet have made a living pushing this snakeoil. They unfortunately are also good self-promoters and have the ear of regulators and auditors.

    If you are relying on security awareness to protect your infrastructure, you're screwed. Most users don't care, and even those who do care cannot possibly be expected to remain aware of the myriad of threats that exist. Often, their attempts to remain secure achieve the opposite purpose ("I heard you tell me email was insecure, so I use dropbox now to transmit files to customers").

    What galls me most is I have to spend part of my IT budget this year spending money on this stupid notion because it is expected by auditors. This means I have to cut back on the security projects that make a real difference.

    1. Re:Tick the box exercise for auditors by rbrightwell · · Score: 2

      You said: Users should be advised to "pick strong passwords and change them regularly". Two contradictory statements, no-one can remember a new complex password that changes regularly unless they write it down. I di$agr33WithY0uWh0leH3art3dly&&.

    2. Re:Tick the box exercise for auditors by bickerdyke · · Score: 2

      Apparently, users are supposed to be "trained to recognise phishing emails and other Internet frauds". IT has enough trouble these days trying to recognise them, and somehow our ordinary users are supposed to recognise them too?

      That's because your users should have the one thing that the best malware filter/firewall/virus scanner hasn't: Common sense!

      --
      bickerdyke
    3. Re:Tick the box exercise for auditors by Annirak · · Score: 4, Insightful

      Yes, I do. The problem is that passwords are fundamentally broken. They are broken in several ways.

      1) The password must be hard to guess. This, generally, makes it hard to remember.
      2) Many implementations restrict the number of characters that I can use for a password. This is downright stupid, as it prevents xkcd/936 compliance.
      3) Every service which uses a password must have a different password to prevent password reuse attacks. This exacerbates 1).
      4) I need a way to recover the password if I lose it. This exposes a secondary attack vector on my password.
      5) There needs to be a guarantee that the password will never be transmitted or stored unencrypted.

      OAuth fixes 3) and mitigates 5) and 2).
      Two-factor authentication fixes 1): guessing my password can be easy provided that attacks on my service provider are slow and that I can report my token lost/stolen in time several orders of magnitude lower than the time required to guess the whole solution space.
      Biometrics can be used to mitigate 1) and 4), but they expose additional flaws, such as lack of revocation. If someone ever gets your fingerprint, they have access to all your fingerprint secured data/possessions, unless they are additionally secured by something else.

      Using most OAuth vendors, however, exposes an additional security hole: tracking by the OAuth vendor (see Google, Facebook privacy concerns).

      Ultimately, it seems to me that the solution is probably private OAuth vendors with support for smartphone-based secure keys. The problem is getting service providers, such as banks, to implement OAuth via a username + domain (OAuth vendor) + token approach.

      This should allow users to choose their OAuth vendor, thereby allowing flexibility in the market when a particular OAuth vendor does Bad Things with users' data. This makes the required password complexity minimal. If the engine which processes the token and password were rolled into a secure smartphone application and transmitted to the OAuth vendor via a back-channel, it would also prevent password scraping.

    4. Re:Tick the box exercise for auditors by PuZZleDucK · · Score: 2

      xkcd/936 compliance

      I hope this terminology catches on to be the next "RFC"

      New improved FooBarX_2... now ISO, POSIX and XKCD compliant.

      --
      Can a person program a new solution to a problem? Why should anyone be able to stop such a thing? -Richard Stallman
  7. Not news by Tom · · Score: 3, Informative

    Nice to hear it from someone with a big name. I'm an IT security specialist, giving talks every now and then, and I've basically been saying the same for years now. It is one of the topic where I face the most fierce opposition, usually from (big surprise) consultants and other people who offer security awareness trainings.

    I've been doing this for so long that I can sum it up in one sentence by now: If security awareness trainings would work, don't you think we would be seing SOME effect after doing them for 20 years?

    Of course, I am exaggerating a bit to make the point. I do think that training to make users familiar with specific security protocols is useful. I don't think general security awareness is. There is a plethora of reasons why it's a failure, from the context-specific nature of the human mind to the abstract level, but the main reason is that we have enough experience to show that it really is a waste of time and resources. Putting the same amount of money and effort into almost any other security program is going to give you a better ROI.

    --
    Assorted stuff I do sometimes: Lemuria.org
    1. Re:Not news by serviscope_minor · · Score: 4, Insightful

      Nice to hear it from someone with a big name. I'm an IT security specialist, giving talks every now and then, and I've basically been saying the same for years now. It is one of the topic where I face the most fierce opposition, usually from (big surprise) consultants and other people who offer security awareness trainings.

      Of course, I am exaggerating a bit to make the point. I do think that training to make users familiar with specific security protocols is useful. I don't think general security awareness is. There is a plethora of reasons why it's a failure, from the context-specific nature of the human mind to the abstract level, but the main reason is that we have enough experience to show that it really is a waste of time and resources. Putting the same amount of money and effort into almost any other security program is going to give you a better ROI.

      I am honestly surprised by this. I really do not see how you can avoid security awareness training.

      Forcing the users to pick non-lousy passwords is simply not enough if the users will happily repond to an email from email.admin@scamsite.ru (Re: YO'RE ACCOUNT IS SOON EXPiRE!1) with their username, passowrd, SSN, date of birth and random security questions.

      OK, that's a bit of an exaggeration, but users do happily respond to really poor phishing attacks and will tell their password to someone they assume is an email admin because the email comes from an account with admin in the name.

      Security is as much as a social problem as a technical one, and you simply cannot ignore the social aspect. And for that people have to have some understandings of basic security protocols: e.g. the admins will never ask for your password.

      In fact, I would go as far as to say that security is very much a social problem. Technology will only get you half way. If your system is not easily hackable from the outside, you have reached the minimum standard. The trouble is that "social engineering" is really easy.

      Even if you switch to 2 factor authentication it won't help enough: if the user believes that an admin has contacted them, then they will do ANYTHING to help that admin and will even follow detaile dinstructions to bypass as much security as possible. For some reason people being scammed are way better at following instructions than when they're not being scammed.

      As someone else quoted earlier: never underestimeate the ingenuity of complete fools.

      --
      SJW n. One who posts facts.
    2. Re:Not news by Tom · · Score: 3, Insightful

      I really do not see how you can avoid security awareness training.

      To use a metaphor from my most recent talk: If you need to write "push" and "pull" on your doors, then they are designed badly. Same for security awareness. Improving the security tools is better than telling people how to safely handle broken tools.

      but users do happily respond to really poor phishing attacks

      Yes, they do.

      And all the security awareness training we've been doing for two decades has made which sustained change, exactly? That is the point. Not that we don't have a security problem, but that security awareness trainings are not a good way to solve them.

      Security is as much as a social problem as a technical one, and you simply cannot ignore the social aspect.

      I don't. On the contrary, I believe the security awareness training advocates do. They think that just telling someone solves the problem, when overwhelming evidence to the contrary proves them wrong.

      I believe the solution lies in asking a) why and b) how the users break security protocols and then tackling those issues, instead of telling them "don't do it" and thinking you've solved the problem.

      As someone else quoted earlier: never underestimeate the ingenuity of complete fools.

      I believe calling the users dumb and fools and "lusers" and such is a cop-out. It's an easy pseudo-solution to avoid the real problem, which is not so trivial. Redesigning your concepts, protocols, hardware and software to be fail-safe (or idiot-proof, if you want) is hard. Much harder than shoving everyone into a room to listen to a boring lecture, 90% of which they'll have forgotten as soon as they're out the door.

      --
      Assorted stuff I do sometimes: Lemuria.org
    3. Re:Not news by Riceballsan · · Score: 2

      well I suppose the real question should be, what tool should be used to protect from the hundreds of weak vectors in a company's users. Requiring stronger passwords, or forcing regular changing etc... increases the likelyness of post it notes etc... and well phishing? we are pretty much SoL for, the only thing I can possibly think of for phishing, would be an IT organized internal phishing test. IE the IT officials intentionally permit an account they created, say "companyadmin@gmail.com" to send a mass e-mail to a random person a day. Everyone caught gets pooled into a very boring company meeting (whether they learn anything from the meeting is irrelevant, they will b*ch and moan about what happened to the entire office, creating a huge increase of skepticism throughout. A boring meeting that they have to go to no matter what, isn't going to accomplish much, but a boring meeting they could avoid if they don't screw up, that might actually be workable.

  8. Security training is more than systems by Chrisq · · Score: 2

    Its about things like the call-centre operator who gets a call saying Can I check my balance ... yea hear are the details... and while you are on can you tell me my wife's balance too. Its about the shop assistant in a phone shop who has someone asking for a replacement for a phone they just flushed down the toilet - they're desperate, miles from home and have no ID on them but expect an urgent call from their aunt in hospital so need a replacement on the same account. Its about the middle level IT manager who gets a call from a very annoyed board director who says his password doesn't work and you better reset it now or head will role. Its about not lending your access card to a visitor so they can go to the canteen and you are too busy to take a break.

    Security training is very important, but it needn't concentrate on systems.

  9. The worst thing by drolli · · Score: 4, Insightful

    is that many companies are too lazy to even get the most fundamental things right. Why on earth would you not distribute your own CA fro your internal web services? Do you really want to train yout employees that clicking on the "accept certificate" button is an everyday thing to do? Why dont you manage to get the security settings in a way that "content from an unknown source" is not "content from you own file server"? how the hell shoud the office assistant know that this is dangerous and theoretically unusual if in everyday work the instruciton says to accepti it several times per day? why yould you enable macros in office documents for no reason and not sign the document?

    All security training, hints like "be careful when opening attachements from unknown sources" are anihilated if you train your employees everyday to do the exact opposite thing, namely constructing worflows and selecting toolsets which are requiring exactly that.

    My 2 cents on this

    a) If there is a "do not use/do x" in your security education, then something is wrong. The right way is "use/do y"

    b) Construct your standard processes in a way that your users/employees can work secure *AND* efficient.

    c) If there are new tools and your users demand these, keep an open ear! Note to the management: reserve some bugdet for it. If users find dropbox an efficient service, the right way is not to forbid it but to ask yourself why you cant provide any decent file sharing on your own servers.

    1. Re:The worst thing by gnalre · · Score: 2

      James Lyne once said that he changed to standard security certificate dialog to say "by cllicking this you kill 1000 kittens".

      No one raised an issue, not even IT.

      Which goes to show how pointless the dialog is and how far it goes in adding security

      --
      Choose your allies carefully, it is highly unlikely you will be held accountable for the actions of your enemies
  10. Exactly correct by AdmV0rl0n · · Score: 2

    He is correct. User training is largely a waste of time, and both in development, and deployment, the systems are not designed or setup for security. So yes, users clicking a link is not safe, and it should be. Users opening an application and reading data should be safe, but isn't.

    These problems have to be engineered out. They cannot be socially controlled out, the audience has neither the inclination, knowledge or interest in resolving this. And even after training, once its established how you've trained your monkeys, a new method will be established that undoes the training.

    The whole industry is still in its infancy. Its building bridges that are made from cardboard, and without any form of certification or regime. This will only be resolved when it becomes apparent that software providers cannot ship things like 'our software cannot be held accountable for anything, have a nice day'. Nobody in the world making bridges gets away with 'if this bridge falls down, we are not accountable'.

    The Adobe and Java scenario is exactly like this. Both are wholly unaccountable, and yet frankly directly responsible for perhaps billions upon billions of dollars of data loss, theft, security breaches, and so on.

    There is no_fundamental_reason why people should even bother to make their software secure - so they only ally a baseline effort to the task. Until this is addressed, the rinse, shampoo, rinse, shampoo will repeat. And its actually why the security landscape is degrading. Things like Metasploit may have seemed to help. But fundamentally the white hat hacking and info security folks have ultimatly not helped. Its only highlighting how bad things are, putting guns in hands that should not have them, and making things globally worse. The vendors have not changed by very much.

    --
    We`re all equal .. Just some of us are less equal than others.
  11. Targeted Ads at their best by JSC · · Score: 3, Funny

    And what do I see just to the right of the lead-in about how Bruce Schneier says security awareness training is a waste of time? An ad for Kevin Mitnick's Security Awareness Training.

    --
    Time's fun when you're having flies. - Kermit the Frog
  12. If we could just..... by danskal · · Score: 2

    This point of view smacks of "if we just worked a bit harder/longer we'll be able to build a perfectly secure system".

    It aint gonna happen. Not for a system as sprawling as the internet, not for a system with as complex requirements as an operating system.

    The more you know about security, the easier it seems to do what is required to improve security - but you have to have very tight control of platforms to be able to follow through on implementing that security. And tight control prevents innovation. Often, security reduces the usefulness of a product.

    Convincing everyone in the IT world that they need to spend $ on educating developers and implementing security features is an insurmountable task - and even if you manage it, you still won't be done, because the security issues we understand now and have fixes for are only a subset of all security issues. New types of holes will be found continuously.

    Of course, end user training might still be a waste of money - I can't deny that.

  13. Re:You're missing the point by Electricity+Likes+Me · · Score: 2

    Also in computer security, there's a lot of false-flag type attacks going on: in the modern day, something tends not to look obviously unsafe, but winds up being so (browsing the web "safely" shouldn't even be a problem, when you get down to it the browser should be keeping things thoroughly "on the web only").

  14. I was with him until... by ternarybit · · Score: 2
    ...he said this:

    Microsoft has a great rule about system messages that require the user to make a decision. They should be NEAT: necessary, explained, actionable, and tested.

  15. It soudns to me like they are using bad training. by gurps_npc · · Score: 2
    Here is what I consider good training:

    1) Tell people about social hacking/engineering.

    2) Tell people about common tricks like infected flash drives being dropped in parkways, calling and requesting a password, etc. etc.

    3) Warn them that sometime during the year, YOU WILL TRY TO HACK THEM.

    4) Tell them if they fall for the hack, they will not get a bonus that year. (It helps if you actually give out yearly bonuses - even $100 will be fine)

    5) Actually test them two months later.

    6) If they fail the test, send them an email and require that they take your 10 minute class again.

    I have found that if you do this, then people learn. The threat of losing even $100 bonus a year is more than enough to get people to stop being stupid.

    Note, this will not stop people from downloading things from the internet and/or playing games. But it will stop them from picking up random flashdrives and using them - as well as stop them from giving out passwords over the phone.

    --
    excitingthingstodo.blogspot.com