Security expert: User education is pointless

(continued from previous page)

Gorling found fans and adversaries in the Virus Bulletin crowd. Martin Overton, a U.K.-based security specialist at IBM, agreed with the Swedish doctoral student. Most computer users in business settings just want to focus on work and then go home to spend the money they made, he said.

"It really is a nightmare. User education is a complete waste of time. It is about as much use as nailing jelly to a wall," Overton said. "There is no good trying to teach them what phishing is, what rootkits are, what malware is, etc. They are not interested; they just want to do their job."

Instead, organizations should create simple policies for use of company resources, Overton said. These should include things such as mandatory use of security software and a ban on using computers at work to visit adult Web sites, he said.

IT staffers, on the other hand, do need training. And when they have to come to the rescue of a "click-a-holic" with an infected PC, it's possible under those circumstances that some preventive skills will rub off on the user, Overton said. "A bit like pollination, but without the mess."

Others at the annual conference for antivirus and security professionals advocated user education.

The trick is to know what you're talking about and to bring the information in a format people understand, said Peter Cooper, a support and education specialist at Sophos, a security company based in England.

"It is a long process, but if we admit defeat now we're just going to go to hell in a handbasket," Cooper said. "Education in every area works."

Microsoft has long been an advocate of user education. Matt Braverman, a program manager for the software giant, advocated the use of specific threat examples to inform users, such as samples of malicious software and e-mail messages that contain Trojan horses.

"If we can look at the most successful tactics that the user is likely to fall victim to, you're more likely to get the message through," Braverman said.

Jill Sitherwood, an information security consultant at a large financial institution, has seen education both fail and succeed. "I have to believe it works," she said. "When we give our awareness presentations, what signs to look for, I have seen a spike in the number of incidents reported by our internal users."

But online consumers are a tougher crowd to get through to.

"We have a special page on our Web site to report security incidents. We had to shut the e-mail box because customers didn?t read (the page) and submitted general customer service queries," Sitherwood said.

[oconnmic]

Giving out passwords

How about the IT departments who don't change the password that comes with the program when it is installed. One place I worked at it was not uncommon to be able to modem into a site and when prompted type the default password and get full admin acess. And what about those IT "professionals" who put a file on the end users computer with the username and password so they can access it when they have to work on that machine. Stupidity is a two way street.

[unigamer69]

Modem? What's dat? =;o)

You say "modem into" a site.. what's that thing you call a modem? =:oD

It's a museum piece, I think. Or close to it. =xoD

(Seriously though, I guess they tend to be used as backup.)

[bbaston]

Linux - not Windows

I looked for mention of Microsoft Corporation and its monopolistic position in contributing to the breakdown in computer security.

What is needed is a fundamentally secure platform upon which to operate. Or one with fewer than a thousand seive holes per CPU cycle. Or Linux.

Seems Bill Gates rules our independent thinking here?

[unigamer69]

Fundamentally secure? That's a non-sequitur.

You get enough lines of code, there'll be plenty of bugs. It's a basic rule of the universe.

It doesn't matter what OS it is - and I'm saying this while using Linux!

[richto]

But Linux has far more holes than Windows

But Linux has far more holes than Windows (see CERT). And takes on average twice as long for critical holes to be patched. (See several whitepapers on the siubject).

So if everyone used Linux the problem would be far worse....

[mattumanu]

once every what?

You do updates once every six months? New updates come out every month.

I've been runing this computer on the original installation of windows for nearly two years. I use AVG antivirus, windows firewall, automatic updates and adaware, and that's it. I've had two viruses ever, and one of them was questionable because there was no consensus as to what it really was. I'd love to own a mac, but I don't believe it would be too much better than what I've got right now.

Also, owning a mac wont help a user who surfs for porn, downloads "free" screensavers and uses filesharing programs to illegally download both music and movies. Users who engage in such behavior get what they deserve. Companies who do not have strict rules concerning computer useage get what they deserve. If all the PCs in the world suddenly turned into Macs tomorrow it wouldn't help save users from themselves. They'd still be surfing for illegal mp3s, pirated movies and porn (possibly even child porn), they's still click on email attachments that are questionable, they'd still fall victim to phishing and other scams, they'd still mess around in file folders they shouldn't be messing around in... They'd still have kids buggering up thier computers! They would still be buggering them up themselves!

Keep in mind the standard profile of a standard user, regardless of type of computer or operating system. On thier own personal PCs they use thier computers to gather up huge collections of (mp3s/movies/porn[jpgs and movies]) till the computer crashes, then reinstall the operating system and start all over. These same users go to work, and on the computer they have at work they engage in the same behavior (emailing thier mp3s/movies/porn[jpgs and movies] to themselves while taking advantage of the T3 speeds at work), but instead they call IT to fix the computer after they've buggered it up. Hackers simply use this stupid behavior to thier own advantage.

But I'm told that better security programs and buying a mac will fix all of that. Riiiiight!

[Bob H in NPR]

So it's alol our fault?

I have read the first 48 responses to this article. Nobody addressed the issue of inexperienced users, except to call us lazy and stupid. Everyone is talking about networks. What about all the small businesses, schools, and individual users? We don't count? Cripes, first you guys create a foreign language for these things and keep adding new words. Then we are supposed to automatically know all there is to know about about these systems and all the different security problems and how to fix them. Meanwhile these problems are constantly changing. It is our fault that Internet Explorer has to shut down often because it has been attacked by malware?

How come some of the most effective web tools are produced open source. Firefox, Opera, Linux, Unix, and hundreds of others which are more secure than the big MS comglomerate tools. Mac builds a more secure machine and operating platform. Almost all of MS patches are concieved and released for free by outside resources before MS admits there is a problem. And now MS is ready to introduce a system that will lock out all current Anti-bad-bug tools that have kept the Web & the Windows platforms useable for years.

But we end users are supposed to keep the Web operating by adopting half measures? What a joke!! If it was Gm or Ford, you all would demand recalls, up to including the paint. If a seat belt breaks, they get sued & lose. It is time for the largest monopoly in the world take responsibility.

[mattumanu]

Re: so it's alol our fault?

~~So it's alol our fault?~~

Yeah, it is, Bob%20H%20in%20NPR... How in blue blazin' screens did you manage that?

[guyfrom2006]

Check out NetAlter

A new system is being developed which will be virtually Virus and Spam free. The product is due to ship out in 2007.

[Joe Koskovics]

This person is destine for the board of directors

In the degrading comments about end user e-attitudes , security, and e-lifestyles, I feel the comments made were from someone who wants to be king.

The comments only go to promote failure. And you can not condition people into failure...period. Otherwise you will get exactly what you ask for. Failure to properly inform, educate, and encourage safe computing lifestyles (whether it may be at home or work) is reckless.

Where is this individual planning to work, HP?

[Wiz Wildstar]

Self Preservation

Having read all the previous posts, I have noted that there is a lot of comment centered on the IT departments responsibility for end-user security. I agree that the IT staff IS responsible for network security and maintenance, However the end-user is also responsible for their own station.

The concept of "You get what you can handle" has been the accepted policy in society for centuries, and it should be no different in the world of computing. Much of the responsibility should fall on the executives in charge of personnel and staffing. Just because you give someone an airplane, does not automatically make them a pilot! If someone continues to crash their plane, they should be afforded an opportunity to learn how to properly handle it. Then, if they continue to crash, it's time to pull their license and ground them.

The idea of "reworking" the internet from the ground up is overly extreme. The world is full of natural barriers and hazards, and mankind has found ways to build bridges over, under, or around them. However there are still those who will choose to leap from these bridges. Unfortunately, in the world of computer networking, they are holding each others hand, and when one goes "over the edge" they can take many others with them.

Basic understanding and education ARE a major requirement. Mommy and Daddy taught us not to step into an open manhole, or walk blindly acroos a busy street. So it should be with those who are expected to use a computer in their daily workday lives. Learning to use a file browser and passwords are as basic a rule as not chewing gum while giving a presentation, or launching spitballs at the teacher. If they can't follow these simple social rules then they should not be allowed to "play" with the hardware! It's that simple.

In todays society, the "everyone wins and no one loses" concept is not even close to realistic. You are not "entitled" to internet access, or for that matter even a computer at your workstation if you cannot follow the IT rules of the company. Period! If you want to surf the porn sites, IM everyone on the planet, or check your personal e-mail, go home and trash your own computer, NOT the bosses.

I have worked on thousands of systems over the last 20 years and almost every system security breach has been caused by user ignorance, both end user and IT "professional". Not that they were "ignorant" people, in most cases far from it. But because they were placed in a position to use equipment/software they did not fully understand.

As with every field of expertise, there are different levels of experience and ability. No one would expect the guy at the "quick lube" to rebuild the engine in their car, or go to a podiatrist for a heart problem. So it is with computing. Just because someone knows how to set up a computer does not mean they are an IT pro, and vice versa. Executive management tends to base its decisions mainly on financial factors, not qualifications. Maybe it's time the boss was a little better educated before he blames a janitor for crashing his prized network!

fin.

[MadMark]

Good Article About Stupid User Tricks

Check out this article from e-Security-Planet, regarding a Cisco security behavior survey, entitled "How insecure do you think you are?"
<a class="jive-link-external" href="http://www.esecurityplanet.com/trends/article.php/3637806" target="_newWindow">http://www.esecurityplanet.com/trends/article.php/3637806</a>

Cheers!
Mark

[wshrader]

Shame on the Virus Bulletin conference for giving this nut the platform

All that I can imagine is that Stefan Gorling is using this controvesial stance to make a name for himself - hope he never has to look for a job.

[howiem]

User education is just one of many tools

Unless and until there is complete technology based security, educating users is another necessary tool. Gorling talks mainly about the corporate environment, but what about home users? The operating systems available are not completely secure, there is no defense against phishing except getting users to create links in their browser favorites and never use anything but those links to access websites where they can lose money through a phish. I've been educating users for years and it works...not 100% because some don't get it, some don't want to get it and others are just careless, but for most they try to understand and learn. This rant of Gorling is reminiscent of the Hawthorne effect. Maybe someone needs to give Gorling a lightbulb - after all, he is getting far too much attention, and still doesn't get it.

[Sentinel]

Pointless Indeed

Working as a support technician for more than three years, I belive Gorling is correct. User education yields little or no results at all. I remember a few months ago a user called because "his machine was too slow". When I went to have it checked out, he had installed every possible toolbar, free screensaver and free game ever to exist on the Internet on his PC. Acutally that is an exxageration, but he did have about seven different "search bars" on his IE, and had screensavers for most of the major holidays. After I cleaned his PC and told him why I had to erase all his "nice" screensavers, he said he understood, but a few weeks later the toolbars were back! Any word from the IT department restricting resources or access to sites is viewed as "the lazy IT people not wanting to do their job".

By the way, restricting file types don't work either. On our company, sending of .doc files was prohibited, but just rename them as .txt and they go through. Also works for IMs. So much for Windows security.

[H Voyager]

Computer security is just as important as physical security

And depends just as much on employee's carrying out proper practice, as it does on Security personel.

Trust me, no matter how good a company's security guards are, they're near powerless to stop an employee from spilling the beans on their company's latest product, if the employee's themselves aren't tryign to guard that stuff.

While it is up to the site security division to fit the locks, and write the proceedures, it's up the the employees to lock the doors and keep their mouths shut.

Harry Voyager

[wbenton]

Internet License Required

You are required to have a valid driver's license prior to driving a car.

The SAME should be done for internet driving (errr... browsing).

If you want to access the internet... you must have a minimum skill level.

No need in lowering the bar to meet the weakest link...

Raise the bar and make it a requirement to learn how to properly/safely access the internet or else deny the ability to access the internet.

It would solve the zombie problem. It would shore up our weakest link. It would make people responsible for what they do on the internet.

Nothing bad about that at all.

Much better than lowering the bar!!!

You cannot protect the obiese from eating too much... thus no need in reducing the average per/serving food intake served at all restaurants all over the US to curb obiesity!!!

Walt

[Black_hole]

education isnt always point less

some people are just computer illiterat and no mater how hard you try to teach them they will never learn but the prople who ar like that ussualy dont use computers for more than a ocasonal web search or if they have an email they will check that
but these people are the realy old 50+ or where around during the infincy of the start of the computer age and dont realy need it butt for any one under the age of 40 they should at least be able to know how to kep themselves safe on the internet education is the key there but if the stupid companys would just make there protecton programs a little simpler than it would be alot easyer

[mooselite]

User Education

Sure, if your goal for user education is to get your users to be the primary means of defense for your network; you are wasting your time. However, with a layered approach to protecting your network, you have to include the users. There are advantages and disadvantages to user education, but if implemented correctly (with accurate, attainable goals), user education provides another defense mechanism for your network. However frustrating it may be, it is certainly not a waste of time.

[kevinwatneways]

Not Educating Users is Naive

Isn't it a little naive to say that you don't need to educate users? Are you saying that you can, without an exception, prevent unwanted security risks to reach workers? If you do say so, I think that you are overconfident and that could be the beginning of your problem.

<a href="http://www.willeitner.org/blog">willeitner.org</a>

[the_webninja]

Virus Alert!!

Virus Report

I know the people who keep up on all the Viruses probably know a lot more about them than I do,
But I got a Virus yesterday, so I wanted to let everyone know How I got it, what it does, and what I did to clean it, and the Companies who are involved with the Virus I received.

I got the Virus on Myspace, someone requested to be my friend, and when I went to their Profile page to check them out to see if I wanted to be their Friend or not, another page auto-loaded on top of their Profile Page, with a Link on it that said Download Myspace Adult Viewer I assumed this was because this particular Girl had Nude Pics of herself or something and this was the way that Myspace regulated adult viewers. WRONG!

I Clicked on the Link and Downloaded the Program which I THOUGHT was some kind of Myspace Adult media player, and after it installed, I realized I just made a terrible mistake. The link I had Clicked on that said Download Myspace Adult Viewer downloaded a Virus into my Computer, which immediately took over my Internet Explorer. I wasnt even USING internet Explorer for the Internet I use Firefox, so I thought I was safe, but I forgot that Internet Explorer still exists on your Computer as long as you are using Windows. Regardless of what Browser is your default browser, the Virus will take over Internet Explorer and begin to Launch Internet Explorer and use the Back Door Channels in Internet Explorer to stream you Endless amounts of Pop up ads.

Then it wants you to BUY a particular Software Program called Virus Burster to fix the problem. This leads me to believe that the people at Virus Burster CREATED the Virus (which Mcafee could not clean) just to Force you to buy their Program. And if you buy their Program, then they have all of your Credit Card Information, and judging from the way they marketed their product I dont think I want to trust them with my Credit Card Information.

On top of all of this, while you are Busy trying to fight off all the Pop Ups and make sense of what is happening to your Computer, the Hackers have complete access to your Computer through the Back door in Internet Explorer, allowing them to collect information such as Passwords from your Cookies Folder, or Addresses and Phone Numbers from Software Registration Forms stored on your Computer, all of which they can use to either Hack your Sites and Spread their Virus by Posting their Virus on YOUR Myspace Profile, and or, hacking other Sites you have passwords stored for in your Cookies Folder, or Using your Personal Information from Software Registration forms to engage in Identity Theft.

I tried cleaning the Virus by using Mcafee. Mcafee at first detected the Virus, then said it Cleaned it, but the Virus Self Replicates, and then Mcafee doesnt try to clean it anymore. It just forgets about it, or the Virus contains something in it to disable Mcafee. I Tried using Ad-Aware Scanner to remove pieces of the Virus, it Cleaned parts of it also, yet, the Virus still functioned. Then I went through every single File associated with the Virus in my Registry and tried to Manually Clean it, but even with the related files were deleted from my Registry the Virus Still functioned.
I unchecked all my windows Services to Block the Hackers from Remote Access to my Computer, but the Virus still functioned even though it could not access the Internet. I tried unchecking all the things in my Start up using msconfig one by one to determine what was infected. It appears that the file ctfmon.exe was related in someway to the Virus, and that is how the Virus was unable to be deleted or removed. I am not a Software programmer, so I can get that specific, I can only tell you the behavior of the Virus and by process of elimination which files I found were associated with the Virus. I can tell you that the Majority of the Files were hidden, so I could not even FIND them on my Computer. But the Virus still functioned so I know it was there. It seems to infect any Toolbars that you have such as Yahoo or Google, to access your Computer.

The Companies Involved with this Virus either by paying these people to Create it, or paying them for Advertising in USE with the Virus are:
Virus Burster.com
Greatdate.com
*****************.com
Mmedia Codecs
Spyware.Cyberlog-X

I Received the Virus from Myspace, and the Following Display Names on Myspace were also found to contain the Virus:
Tessa
Madalynn
Bena
Pearl
Bronwyn

If you know about Viruses or if you are involved in helping Protect people from Viruses, please address this Problem. I would really like to see these people arrested for the aggravation they cause others.

The only way I was able to Clean the Virus was to Delete the Partition, Format my Hard Drive and Completely re-install everything. I want to see these people arrested.

Thank you,

Mark
the_webninja@yahoo.com