Forwarded from: "Jay Dyson, CISSP" <jdyson (at) jpl.nasa.gov> [PGP signature likely munged from copy and paste. - WK] -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello folks, I gave a keynote address on this very topic late last year at Penn State's security conference. Regrettably, the attitude among many IT personnel toward user mistakes continues to be demeaning. Conversely, we IT personnel are often seen by users as elitist, condescending jackals. And trust me, we live up to that reputation...especially when we go on record calling our target audience "idiots." I won't disagree that user misconduct is frustrating. We train them and we push them to keep security in mind in everything they do. Yet for all our efforts, users still fall victim to the allure of easy trappings and innate human curiosity. What's more, as the article illustrates, even we security mavens are not immune to falling for the ruse. The real problem here lies in prevailing perspectives. First, we cannot realistically expect the average user to look at the world the way we do. We security types are a different animal. We don't just perceive treachery and deception, we *expect* it. Second, we've got the completely wrongheaded view of our users. Like it or not, our users are the ones who ensure that we'll have a job tomorrow, yet we treat them as if they were a curse to our existence. In my view, anyone who's helping me keep a roof over my childrens' heads and food on the table is a valuable ally. Third, and most importantly, we've got to see our role in not getting through to our users. I personally cannot entertain any absurd notions that my users are idiots when I'm surrounded by Ph.D's. If there's any fault in the system, it's one equally shared by those of us delivering the message. We've got to become more effective marketers than our adversaries. Our attackers are getting through to our users in ways we have yet to rival. Odd as it may sound, we've got to develop and adopt strategies in which we can leverage the same common human proclivities that the attackers exploit, only to our own advantage. ...or we can keep doing what we've been doing for the past several decades: look down our collective noses at users, continue to run around in crisis mode, and count the cost of the losses. - From where I stand, it seems hypocritical that we demand our users learn from their mistakes when we have yet to do so ourselves. Sincerely, Jay Dyson, CISSP IT Security Engineer JPL IT Security Group NASA Jet Propulsion Laboratory California Institute of Technology jdyson_at_private | 818-397-4960 On Thu, 30 Jun 2011, InfoSec News wrote: http://www.bloomberg.com/news/2011-06-27/human-errors-fuel-hacking-as-test-shows-nothing-prevents-idiocy.html By Cliff Edwards, Olga Kharif and Michael Riley Bloomberg June 27, 2011 The U.S. Department of Homeland Security ran a test this year to see how hard it was for hackers to corrupt workers and gain access to computer systems. Not very, it turned out. Staff secretly dropped computer discs and USB thumb drives in the parking lots of government buildings and private contractors. Of those who picked them up, 60 percent plugged the devices into office computers, curious to see what they contained. If the drive or CD case had an official logo, 90 percent were installed. “There’s no device known to mankind that will prevent people from being idiots,” said Mark Rasch, director of network security and privacy consulting for Falls Church, Virginia-based Computer Sciences Corp. (CSC) The test showed something computer security experts have long known: Humans are the weak link in the fight to secure networks against sophisticated hackers. The intruders’ ability to exploit people’s vulnerabilities has tilted the odds in their favor and led to a spurt in cyber crimes. [...] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (SunOS) iEYEARECAAYFAk4MiLMACgkQw3XRywctWkxSzgCePcy7VcPjs4k/ScpvSUEoM1jK 0RsAn0l3iiuN+iYlfISYI1Q4EqUPReiE =E8Q+ -----END PGP SIGNATURE----- ___________________________________________________________ Tegatai Managed Colocation: Four Provider Blended Tier-1 Bandwidth, Fortinet Universal Threat Management, Natural Disaster Avoidance, Always-On Power Delivery Network, Cisco Switches, SAS 70 Type II Datacenter. Find peace of mind, Defend your Critical Infrastructure. http://www.tegataiphoenix.com/Received on Fri Jul 01 2011 - 05:17:40 PDT
This archive was generated by hypermail 2.2.0 : Fri Jul 01 2011 - 05:26:56 PDT