lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
From: WolfgangK at usfk.korea.army.mil (WolfgangK@...k.korea.army.mil)
Subject: Is user education a lost cause?

CLASSIFICATION: UNCLASSIFIED

1.  Security awareness training is an "elusive necessity".  I have seen
policy that says users must have training.  Yet without specifics on who
must provide training or emphasis on resourcing training, it may not occur,
or at best the process is caught in a "do while" loop, infinitely circling
and pointing to someone else better suited for the mission.

2.  One objective of training should be to defeat the social engineers.

    a.  This listing frequently discusses new phishing ploys.  Without
awareness, organizational users may find themselves buried withing the
following statistics:
    -  Scams up 400% during Christmas season 2003
    -  20 new scams over two-week period
    -  60 million bogus E-mails
    -  5 - 20% take the bait

    b.  Kevin Mitnick and William Simon, in The Art of Deception:
Controlling the Human Element of Security, ISBN:0471237124, John Wiley &
Sons, present the viewpoint that that the bad guy may follow the path of
least resistance.

	(1)  Social engineering can provide that path around all defensive
roadblocks that the good guys put in place - defense of computing
environment / system configuration; defense of enclave boundaries /
firewalls, router ACLs; defense of network & infrastructure / encryption;
supporting infrastructure / PKI and IDS.  

	(2)  In noting the plausibility in pulling off social engineering,
the authors reference a quote attributed to Einstein "Only two things are
infinite, the universe and human stupidity, and I'm not sure about the
former."

3.  Bruce Schneier, as techie with maturing appreciation of how the human
element is important to information assurance, in his book Secrets and Lies:
Digital Security in a Networked World (John Wiley, ISBN 0-471-25311-1)wrote:
    -  "Security is not a product, it's a process." 
    -  Moreover, security is not a technology problem-it's a people and
management problem. 
    -  "If you think technology can solve your security problems, then you
don't understand the problems and you don't understand the technology."

4.  Bottom line:  user training is essential if one wants to minimize the
need for desktop support fixing polluted workstations.  However, there is
always a core requiring additional homework.  At a time before Outlook
security patches, after reading my Email warning on "I LOVE YOU", my
officemate attempted to open the .VBS attachment.  He complained that it
wasn't doing anything.  It was.  He called desktop support for assistance in
cleaning his workstation.


Karl Wolfgang
Information Systems Security Manager
disclaimer:  on official policies stated or implied
-----Original Message-----
From: Schmehl, Paul L [mailto:pauls@...allas.edu]
Sent: Wednesday, January 21, 2004 7:16 AM
To: full-disclosure@...ts.netsys.com
Subject: [Full-Disclosure] Is user education a lost cause?
<snip>
What about changing users?  You don't allow for any of that at all?  I
think it's not only possible but will happen over time.  

I think one of the "security community's" basic responsibilities is to
educate users and to never give up on educating users.  After all, one
of the most important parts of our job is writing policy, is it not?  If
that's true, and yet we don't believe users can be educated, then why is
policy writing so important?  
 
Paul Schmehl (pauls@...allas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Classification: UNCLASSIFIED

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040121/290175ea/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ