Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: How Can We Create a Culture of Secure Behavior?

Posted by Soulskill on from the start-giving-$50-citations-for-bad-passwords dept.

An anonymous reader writes "Despite the high news coverage that large breaches receive, and despite tales told by their friends about losing their laptops for a few days while a malware infection is cleared up, employees generally believe they are immune to security risks. They think those types of things happen to other, less careful people. Training users how to properly create and store strong passwords, and putting measures in place that tell individuals the password they've created is 'weak' can help change behavior. But how do we embed this training in our culture?"

4 of 169 comments (clear)

  1. This approach has gone nowhere for years by Anrego · · Score: 5, Insightful

    Users are gonna do stupid things when it comes to security. Trying to fix that is a noble goal, but good luck.

    The direction we need to keep going towards is idiot proofing. Assume the user will screw up and mitigate or eliminate the impact.

  2. yeah, lemme see where was that in the requirments by Anonymous Coward · · Score: 5, Insightful

    Sure, just was devs need, more users, who never requested a feature in the first place, coming in and demanding that a particular language be used in the implementation because the read an article about how its 'more secure'

    Welcome to my nightmare, this rarely works out well

    And for the inevitable, 'why didn't you make it secure in the first place' comment

    fuck you, fuck you fuck you and your childish, 'I changed my mind, I don't want it fast, I don't want it cheep, I want you to read my mind and know the future and give me something that I can't break because I am a fucking idiot... and I need it tomorrow' attitude that makes everything somebody else's fault

  3. You can't. by bravecanadian · · Score: 5, Insightful

    As long as there is incentive to skip security and get things done.

    ie. let the nerds in IT worry about security - I'll worry about selling/making/doing and getting my bonus.

    So technically I guess you could do something to foster this sort of secure behaviour but it won't happen because the powers that be don't give a shit.

    So yeah, you can't.

  4. Re:Read what you wrote by mlts · · Score: 5, Insightful

    If I had to give five general things a company could do, it would be similar to the following the parent stated:

    1: First and foremost... separate and isolate. Finance should be isolated from everything else, with a Citrix or TS server so people working there can browse the web with the browsing well separated from critical assets. If a breach does occur, it will be limited in scope.

    2: Laptop encryption is trivial. BitLocker [1] and the AD infrastructure to recovery is a must-have. Depending on level of paranoia, AD policy can be set to auto-encrypt USB drives, so a dropped thumbdrive doesn't mean a massive data breach. In fact, it would be wise to have BitLocker on all desktops as well, so repurposing of the machines is easy -- just a simple format or clean command in diskpart.exe.

    3: Backups. Often overlooked, but a humble tape drive can mean the difference between a quick restore versus paying some guy out of Russia a lot of BitCoins. Disk arrays != backup because one command (blkdiscard for example) can render all backed up data gone in seconds.

    4: A clear chain of command. This way, someone can't hack a VoIP connection, browbeat some lackey to get some critical access or knowledge about internal networking.

    5: Active pen-testing from a guy running a script on boxes to actual blackhats using everything at their disposal including sending people on site in coveralls and fake badges to get in.

    [1]: Yes, TrueCrypt is a good utility, but this is the enterprise where recoverability is as important as security.