lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
From: pauls at utdallas.edu (Schmehl, Paul L)
Subject: [inbox] Re: CyberInsecurity: The cost of Monopoly

>-----Original Message-----
>From: Chris Cozad [mailto:ccozad@...-aust.com.au] 
>Sent: Tuesday, September 30, 2003 1:10 AM
>To: Schmehl, Paul L
>Cc: 'full-disclosure@...ts.netsys.com'
>Subject: RE: [inbox] Re: [Full-Disclosure] CyberInsecurity: The cost of
Monopoly
>
>Do you really think you could convince the average user that they 
>need to know this much about security? I mean, most users see their 
>computers (and the network, servers, phones, faxes, etc...) as a 
>tool to do business with. Nothing else. The computers are there to 
>do a job, or help get a job done, and nothing else. It is not so 
>much that they don't know, it is that they don't need to know.

Vehicles are tools to get a job done - transporting you from one
location to another.  Do you really think people who use vehicles as
transportation will sit through drivers training?  Same argument.  If we
are ever going to get control of this beast we call the network, we
*must* enlist the aid of the users.  You only need look at the recent
explosion of new ways for them to bring your network down to realize
that you *must* get them to cooperate.

Is it too much to ask that users be asked to understand the basics of
good passwords?  Why you don't leave your password on a sticky note on
your screen?  Why you lock your workstation when you get up to get a cup
of coffee?  Why it's a bad idea to open attachments?  What kind of evil
is out there on the Internet?

I'll tell you this.  If you *don't* train your users, you're done for.
Because *now* their home computers are a threat to your network.  They
extend the boundaries and introduce all sorts of new variables.  And you
can't possibly control them all with technology.  Technology is great,
and it can do a lot of things, but it will not solve the "human
problem", now or ever.

>To actually get users to attend this level of training would be 
>fantastic. Our jobs would be so much easier. But it just aint gunna 
>happen in the real world. It is definitely up to us, as security 
>professionals, to effectively "idiot proof" our systems, so that 
users only need to know some basic security rules.

We are doing it at UTD right now.  We conduct security awareness
sessions with students, staff and faculty (not all at the same time),
and we provide handouts with a list of dos and donts and links to
resources.

If you don't try, you'll never know.  Besides, if you haven't already
figured it out, you *can't* idiot-proof your environment.  Users have
already proven that, haven't they?

Paul Schmehl (pauls@...allas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ