Re: [ISN] Human Errors Fuel Hacking as Test Shows Nothing Stops Idiocy

From: InfoSec News <alerts_at_private>
Date: Fri, 1 Jul 2011 05:17:40 -0700 (MST)
Forwarded from: "Jay Dyson, CISSP" <jdyson (at)>

[PGP signature likely munged from copy and paste.  - WK]

Hash: SHA1

Hello folks,

I gave a keynote address on this very topic late last year at Penn State's 
security conference.  Regrettably, the attitude among many IT personnel toward 
user mistakes continues to be demeaning.  Conversely, we IT personnel are often 
seen by users as elitist, condescending jackals.  And trust me, we live up to 
that reputation...especially when we go on record calling our target audience 

I won't disagree that user misconduct is frustrating.  We train them and we 
push them to keep security in mind in everything they do.  Yet for all our 
efforts, users still fall victim to the allure of easy trappings and innate 
human curiosity.  What's more, as the article illustrates, even we security 
mavens are not immune to falling for the ruse.

The real problem here lies in prevailing perspectives.  First, we cannot 
realistically expect the average user to look at the world the way we do. We 
security types are a different animal.  We don't just perceive treachery and 
deception, we *expect* it.  Second, we've got the completely wrongheaded view 
of our users.  Like it or not, our users are the ones who ensure that we'll 
have a job tomorrow, yet we treat them as if they were a curse to our 
existence.  In my view, anyone who's helping me keep a roof over my childrens' 
heads and food on the table is a valuable ally.

Third, and most importantly, we've got to see our role in not getting through 
to our users.  I personally cannot entertain any absurd notions that my users 
are idiots when I'm surrounded by Ph.D's.  If there's any fault in the system, 
it's one equally shared by those of us delivering the message.  We've got to 
become more effective marketers than our adversaries.  Our attackers are 
getting through to our users in ways we have yet to rival.  Odd as it may 
sound, we've got to develop and adopt strategies in which we can leverage the 
same common human proclivities that the attackers exploit, only to our own 

...or we can keep doing what we've been doing for the past several decades: 
look down our collective noses at users, continue to run around in crisis mode, 
and count the cost of the losses.

- From where I stand, it seems hypocritical that we demand our users learn from 
their mistakes when we have yet to do so ourselves.


Jay Dyson, CISSP
IT Security Engineer
JPL IT Security Group
NASA Jet Propulsion Laboratory
California Institute of Technology
jdyson_at_private | 818-397-4960

On Thu, 30 Jun 2011, InfoSec News wrote:

     By Cliff Edwards, Olga Kharif and Michael Riley
     June 27, 2011

     The U.S. Department of Homeland Security ran a test this year to see
     how hard it was for hackers to corrupt workers and gain access to
     computer systems. Not very, it turned out.

     Staff secretly dropped computer discs and USB thumb drives in the
     parking lots of government buildings and private contractors. Of
     those who picked them up, 60 percent plugged the devices into office
     computers, curious to see what they contained. If the drive or CD
     case had an official logo, 90 percent were installed.

     “There’s no device known to mankind that will prevent people from being
     idiots,” said Mark Rasch, director of network security and privacy
     consulting for Falls Church, Virginia-based Computer Sciences Corp.

     The test showed something computer security experts have long known:
     Humans are the weak link in the fight to secure networks against
     sophisticated hackers. The intruders’ ability to exploit people’s
     vulnerabilities has tilted the odds in their favor and led to a
     spurt in cyber crimes.


Version: GnuPG v1.4.9 (SunOS)


Tegatai Managed Colocation: Four Provider Blended
Tier-1 Bandwidth, Fortinet Universal Threat Management,
Natural Disaster Avoidance, Always-On Power Delivery
Network, Cisco Switches, SAS 70 Type II Datacenter.
Find peace of mind, Defend your Critical Infrastructure.
Received on Fri Jul 01 2011 - 05:17:40 PDT

This archive was generated by hypermail 2.2.0 : Fri Jul 01 2011 - 05:26:56 PDT