The Six Dumbest Ideas in Computer Security

Hungry Man · Jun 18, 2011

This is the part I'd like to point out. I have been saying this forever -- common sense is not a practical security method and developers need to understand this. You can not expect anyone to have learned about computer - if they were going to they would have already.

http://www.ranum.com/security/computer_security/editorials/dumb/

"Penetrate and Patch" can be applied to human beings, as well as software, in the form of user education. On the surface of things, the idea of "Educating Users" seems less than dumb: education is always good. On the other hand, like "Penetrate and Patch" if it was going to work, it would have worked by now. There have been numerous interesting studies that indicate that a significant percentage of users will trade their password for a candy bar, and the Anna Kournikova worm showed us that nearly 1/2 of humanity will click on anything purporting to contain nude pictures of semi-famous females. If "Educating Users" is the strategy you plan to embark upon, you should expect to have to "patch" your users every week. That's dumb.

The real question to ask is not "can we educate our users to be better at security?" it is "why do we need to educate our users at all?" In a sense, this is another special case of "Default Permit" - why are users getting executable attachments at all? Why are users expecting to get E-mails from banks where they don't have accounts? Most of the problems that are addressable through user education are self-correcting over time. As a younger generation of workers moves into the workforce, they will come pre-installed with a healthy skepticism about phishing and social engineering.

Dealing with things like attachments and phishing is another case of "Default Permit" - our favorite dumb idea. After all, if you're letting all of your users get attachments in their E-mail you're "Default Permit"ing anything that gets sent to them. A better idea might be to simply quarantine all attachments as they come into the enterprise, delete all the executables outright, and store the few file types you decide are acceptable on a staging server where users can log in with an SSL-enabled browser (requiring a password will quash a lot of worm propagation mechanisms right away) and pull them down. There are freeware tools like MIMEDefang that can be easily harnessed to strip attachments from incoming E-mails, write them to a per-user directory, and replace the attachment in the E-mail message with a URL to the stripped attachment. Why educate your users how to cope with a problem if you can just drive a stake through the problem's heart?

When I was CEO of a small computer security start-up we didn't have a Windows system administrator. All of the employees who wanted to run Windows had to know how to install it and manage it themselves, or they didn't get hired in the first place. My prediction is that in 10 years users that need education will be out of the high-tech workforce entirely, or will be self-training at home in order to stay competitive in the job market. My guess is that this will extend to knowing not to open weird attachments from strangers.
Click to expand...

Cudni · Jun 18, 2011

On its own it maybe not effective method (not sure if anybody purely depends on it) but coupled with desire to learn and listen, very effective. And if only developers used common sense when developing...

MikeBCda · Jun 18, 2011

With specific regard to email from "other" banks, there is always the possibility that you've experienced ID theft and the culprit has opened a bank (or other) account using your credit rating, and run into problems with that other bank.

But of course since no bank I ever heard of uses emails for such communication, you can pretty well guarantee that any such message is phony and a phishing attempt.

Sully · Jun 18, 2011

I would argue that common sense is the most practical security method. I would argue that till the day I die. I know too many uneducated "noobs" who have a lot of common sense that manage to stay relatively problem free simply because they exercise thier common sense. And on the same token I know quite a few who have a bit of education, but have many problems yearly, because they don't have any common sense at all!

Don't confuse common sense with knowledge or expertise, they are wholly different. Common sense is hard to learn, and usually only taught at the "Univeristy of Hard Knocks". I think what this article is saying is that you can educate users, but if they lack common sense, they lack a lot of the needed abilities to apply the education.

Sul.

wat0114 · Jun 18, 2011

Sully, very nicely put and I agree with you

noone_particular · Jun 18, 2011

Don't confuse common sense with knowledge or expertise, they are wholly different. Common sense is hard to learn, and usually only taught at the "Univeristy of Hard Knocks". I think what this article is saying is that you can educate users, but if they lack common sense, they lack a lot of the needed abilities to apply the education.
Click to expand...

That describes most of the users I encounter. At times, it seems like the more "knowledgeable" people get, the less sense they have. At one time, sense was truly common. Anymore, it's in danger of becoming extinct.

Been sending links to that page around for years. Used to be my signature.

Hungry Man · Jun 18, 2011

The idea of common sense being necessary for security is probably the reason we have so many security issues. Programs should be built to be secure from the start -- the burden of security should never ever lie on the end user.

noone_particular · Jun 18, 2011

That's a lot of the idea behind how I've set my PCs up. Other users won't be asked to make decisions and do not have the ability to install or remove anything, run anything unknown to the system, and can not change any critical settings. That's why I don't mind letting someone else use them when they need to.

Log in or Sign up

The Six Dumbest Ideas in Computer Security

Hungry Man Registered Member

Cudni Global Moderator

MikeBCda Registered Member

Sully Registered Member

wat0114 Guest

noone_particular Registered Member

Hungry Man Registered Member

noone_particular Registered Member

Log in or Sign up

The Six Dumbest Ideas in Computer Security

Hungry Man Registered Member

Cudni Global Moderator

MikeBCda Registered Member

Sully Registered Member

wat0114 Guest

noone_particular Registered Member

Hungry Man Registered Member

noone_particular Registered Member

Useful Searches