Is user education necessary for security?

Discussion in 'polls' started by Hungry Man, Oct 11, 2011.

?

Does computer security necessitate user education?

  1. Yes, definitely

    79 vote(s)
    85.9%
  2. No, definitely not

    4 vote(s)
    4.3%
  3. Possibly in certain situations/ other

    9 vote(s)
    9.8%
  1. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Not planning in engaging in this one but I'm wondering how people feel. I know HIPS are very popular on here.

    Do you believe that users need to be educated for a computer to stay secure?
     
  2. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
    Voted Yes, definitely.
     
  3. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Three way split! haha
     
  4. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,509
    Location:
    Slovakia
    Yes, a simple card with a few tips from the ISP provider would do it, like read emails in txt or do not open unknown files or email attachments and so on. :)
    I got a book from my ISP, when I moved from dialup to DSL and it really helped me. I was like: What? Viruses? I want to use an internet not to study medicine.
     
  5. zapjb

    zapjb Registered Member

    Joined:
    Nov 15, 2005
    Posts:
    3,524
    Location:
    USA - Back in a real State in time for a real Pres
    I keep on telling people it's a computer not a toaster.

    All I get back are blank & confused looks.
     
  6. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    8,030
    Location:
    Lloegyr
    Many average users are quite unaware of the security issues today. I've learned a huge amount just participating in these forums. I think that when it comes to user education about security issues, even a little knowledge may not be a dangerous thing.
     
  7. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,434
    Location:
    Europe
    Yes, definitely.
     
  8. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Education = Knowledge. Knowledge = power/freedom/whatever-you-want-to-call-it.

    People who choose not to educate themselves must rely on software tools to keep them secure (presumably).

    When you consider the vast amount of combinations available (hardware, software, personal preference settings), it is amazing software is as effective as it is. No matter though, it is doomed to fail. All software is. Period.

    So, it should be no suprise to people that they develop problems, as there is no guaranteed 100% secure and effective solution.

    Education brings with it the means to make different kinds of decisions. Perhaps it is to layer different tools together, or maybe it is to change how you do things to limit your risks. It might even be knowing enough to clean up some problem so you don't have to pay someone else to fix your machine.

    Is is necessary to learn about security? I would ask this question:

    If I could give you a pill that make you forget everything you know about computer security, would you take it, and go back to a more blissful time when you just got on the computer and used it?

    Sul.
     
  9. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Yes definatley.I think back to the day when I first started on computer and How dumb I was compared to know.
     
  10. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    855
    Most people think that security starts and ends with an antivirus. I think it starts with the user.

    My education was making mistakes, trying every option, breaking things and learning how to fix them, then reading the manual after. After 20+ years of using a computer, I consider myself almost competent.

    People have so much access to information now, almost too much - but don't forget it takes time to learn, as well as a desire.
     
    Last edited: Oct 11, 2011
  11. Yakuman

    Yakuman Registered Member

    Joined:
    Aug 5, 2008
    Posts:
    75
    Depends on situation / security setup, but in most cases it's necessary.

    e.g. HIPS will require more education than locked down PCs like an anti-executable, where if user attempts to launch x program that's not allowed, they can't do anything but click OK if the message is like "cannot run x program".
     
  12. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    I say yes. Without knowledge, one must rely on the crutches of security programs. I don't say that as some guru/Jedi Master Yoda/Holier than thou person though, as I too still rely on some security programs. But, think about what some of these programs do. I'm putting on my fire-proof suit for the following statement, but software such as Sandboxie encourages bad security behavior.

    Before anyone lights the tinder under my stake, think about it for more than 10 seconds. If you hand a fully configured Sandboxie over to a kid/teen and tell them that you know of nothing that can harm them while under it...what is going to happen? P2P, surfing to and downloading every streaming site on the net, the porno sites, you name it. Now, think about an Anti-Virus/Anti-spyware application. We rely on both of them to tell us if a file is bad...based on a blacklist. Umm...stupid.

    Let's move on to HIPS, white-listing and anti-executables....they're not only a crutch, most of them cripple the user. I can see the "policy guys" coming at me now, but I invite you to think as well. Do you really need it if you don't download things from unknown sources? "Well, what about social engineering?" I can hear that being said too. Well guess what? Social engineering relies on you..not the malware guru..to work. Why the heck is anyone with any amount of sense at all falling for these phishing emails, these "you must have this codec/download Flash/whatever" pop-ups and all this other crap?

    Do you really think you'll win an iPad if you just take a moment to fill out a survey because a blinking banner ad told you so? You know what you really need? An ad-blocker at best. Why, you'll say? Because that is where a huge percentage of drive-by hijinks originate from. I can not even start to tell you how many people have been absolutely smoked by a bad ad on a website. I would even imagine that that is where many of the Flash attacks have come from as well. PDF exploits you say? So what? Don't open them up in your browser, turn off scripting in your PDF reader, hell, use Adobe Reader X, and pretty much goodbye exploit.

    Java plugin? Okay, sure, it's a problem too, but not if you only use it for your office app (if it needs it) or at least keep your exposure to Java low..yes, you can do it. If you absolutely must indulge in the atrocity that is social networking...get your anti- social engineering skills honed and don't post just anything, and you'll be alright (though you'll be tracked).

    Save yourself time, money and frustration. Learn what to do and not to do..I promise the internet is not going to bite. This message has been brought to you by a rehabbing paranoid.
     
  13. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    855
    Interesting points as always dw426, but without sandboxie, antiexecutables, or HIPS, what is in place to deal with the various exploit kits?

    First step you rely on the security of whomever runs the legitimate site you've visited (unreliable)
    Second rely on the antivirus software's ability to detect JS obfuscation (since normally there's an obfuscated script added to the bottom of the HTML pointing to the exploit kit)
    Third rely on malicious link lists to be up to date.
    Fourth rely on being fully patched to avoid the various exploits being sent (Java, PDF, browser specific, OS specific).
    Fifth rely on the antivirus to catch the malicious payload.

    Actually the stats suggest that the majority of users make it through the last two hurdles unscathed, but 10-20% is still a high figure.
     
  14. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Interesting viewpoint. I would have to agree with much of what you say, to some extent.

    If we look at SBIE for a moment - it can be a crutch. It can be detrimental. One can rely on it to be faithful in keeping things within its confines. And as you elude to, you can stop worrying about things as much. And indeed, that is true, you can stop worrying about things, as SBIE does a great job of what it claims to.

    The problem with a tool like SBIE is that once you use it with a basic understanding, if you don't educate yourself further, your understanding is limited. But that is true of just about everything with a computer. Notepad is pretty basic, but if you read up on it, you will find lots of little tricks to use it in ways that might benefit you. A massive program like Adobe Photoshop is pretty simple to use for basics, but can take a lot of learning to do advanced stuff, but what a difference that can make. AutoCad is even more extreme, taking months or years of study to be able to use it to its real potential.

    The OS is the same way too. Just about anybody can click the start button and play solitaire. The more you learn, the more you can do. Why should the internet and security be any different? You can learn just enough to use Farcebook and Email, but you are only scratching the surface. In the same way with security, you can pay for the Norton or McAffee that came with your new Dell computer, and click "ok" to this and that, but you miss out on what the software is capable of, or more likely, without education, what it is NOT capable of. Not understanding more than the basics doesn't mean you can't use it or that you will get infected because of this. But, IMHO, it does mean that you are very limited in what you can do yourself or the decisions you can make to help matters.

    As I already mentioned, there is no security plan that is 100%, neither software nor hardware. If there were, it would out-sell them all easily. Instead, you have many different approaches, each having a certain set of strengths and weaknesses. I believe educating yourself is the key to achieving "better" security, not how many programs you do or don't use, or how locked down you make your system. Everyone, at some point, must unlock thier locked down system. That is where education plays its largest role, when you expose everything for the sake of that new game/program/driver/codec/plugin/etc.

    The internet (aka world wide web) is the absolute worst offender of them all. Nobody can keep up with the exploits, let alone the sites that are exploited. Even focusing on trusted sources (which I do) isn't foolproof. You can stumble along blindly or be well educated, and in the blink of an eye, go somewhere you were not prepared for nor expecting. The difference lies in how much education you have in tackling the situation once it occurs. At least, that is how I look at it.

    Sul.
     
  15. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Both of you are right as well. Even the best among us cannot likely know every single time that's there's nothing to be afraid of. Even though my post came across that way, I know I'm not ready to give up every line of defense, even if I'm constantly becoming more and more aware of how to avoid the dangers. I just think that too much emphasis is being put on building up a fort, and not enough on thinking ahead before we click. Malware creators are getting better and better at bypassing everything we throw at them, but the one thing they can never do is think for us, to make us push that OK button, to make us reply to that email.

    I think the security of the net is getting worse not because of them, but because of us. We'd rather let Norton handle our problems, we'd rather let Tzuk wrap us up in a nice warm, safe blanket. We're letting others throw bandages on broken systems instead of speaking up and telling them to create stronger browsers, stronger applications.

    It's no wonder the bad guys are winning, we're letting everyone else do the heavy lifting. No, knowledge can't and won't solve everything. But I believe the net would be a safer place for all, if all would do some work for themselves.
     
  16. cozumel

    cozumel Registered Member

    Joined:
    May 23, 2009
    Posts:
    260
    Location:
    London, UK
    :thumb: :thumb: It's perverse though. It implies that the more security suites and layers, the more lazy one becomes and the more vulnerable to exploit you become through lack of awareness or caution.
     
  17. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    2,825
    Voted yes.
     
  18. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Well, that is a double sided coin. Applications like SBIE are capable of liberating one from things like AV if one desires it. But, not without some learning to go with it. On the other side, as you suggest, they do give us that safety net that means we don't have to learn as much as we otherwise might have to.

    I don't know that they are winning. Actually, I don't think they are in many cases. Perhaps what you are describing the that users who don't take matters into thier own hands are losing. I for one know that if I have an issue, like I recently did (as described in this thread https://www.wilderssecurity.com/showthread.php?t=309605), it is due to my own fault primarily. Sure, an exploited site that I had thought to trust is the start of it, but it was me not following my normal procedures that allowed it to happen in the first place. It was also up to me to put a stop to it and correct the issue, which I did, only because I have educated myself about such things. If I knew nothing other than my AV was up to date, how different could the outcome have been?

    Sul.
     
  19. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,786
    I voted yes also. I don't know much compared to some, but what I do know has kept me clean and out of trouble for a long long time now. Education is the key.
     
  20. ziaul

    ziaul Registered Member

    Joined:
    Aug 14, 2007
    Posts:
    239
    Absolutely necessary. :thumb:

    Ziaul
     
  21. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Lots of really well thought out responses.

    Just to toss it out there I answered "No, definitely not."
     
  22. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    i voted yes as well.

    i know people who installed a rogue AV because they did not even know what their own paid-for AV looks like. :blink:
    that's lazy! :D

    personally, the stuff i have learned here at Wilders has allowed me to eventually cut down on the amount of protection i was using.
     
  23. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    855
    I always relied on common sense, but nowadays this is not enough. I felt the rules had changed when even a competent user could be infected just from visiting a popular website that had been compromised. My drive to learn about security was from the threats that weren't the fault of the user.

    For myself I've found Sandboxie liberating, as well as a great aid to learning. Still got a lot to learn.

    I understand the point about the waxing and waning of paranoia - a little bit of knowledge makes one concerned about a threat (e.g exploit kits), while a lot of knowledge means one can manage the risk and is therefore less worried.
     
  24. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    855
    One could argue that a Windows based network at an office could be so well designed that nothing malicious could run - but security is more than malware.

    Just consider all the information leaks that happen, even just with sending emails to the wrong address. One research team collected a lot of scary information just by setting up domains with similar names to some big organisations.

    Also consider social engineering and spear phishing - education can only reduce the risk of success here, outside of 'need to know' type compartmentalisation.

    The other point is, how often will the competing needs of security in an organisation clash with the requirement for productivity? If things are too complicated, office staff find an alternative way to do their jobs e.g. send data over an insecure route like google docs.
     
  25. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    I'd say that depends on how many infections are present.