Forgot your password?
typodupeerror
Security IT

Schneier: Security Awareness Training 'a Waste of Time' 284

Posted by Soulskill
from the only-trust-users-to-be-users dept.
An anonymous reader writes "Security guru Bruce Schneier contends that money spent on user awareness training could be better spent and that the real failings lie in security design. 'The whole concept of security awareness training demonstrates how the computer industry has failed. We should be designing systems that won't let users choose lousy passwords and don't care what links a user clicks on,' Schneier writes in a blog post on Dark Reading. He says organizations should invest in security training for developers. He goes on, '... computer security is an abstract benefit that gets in the way of enjoying the Internet. Good practices might protect me from a theoretical attack at some time in the future, but they’re a bother right now, and I have more fun things to think about. This is the same trick Facebook uses to get people to give away their privacy. No one reads through new privacy policies; it's much easier to just click "OK" and start chatting with your friends. In short: Security is never salient.'"
This discussion has been archived. No new comments can be posted.

Schneier: Security Awareness Training 'a Waste of Time'

Comments Filter:
  • by qbast (1265706) on Wednesday March 20, 2013 @05:17AM (#43221781)
    It demonstrates that car industry has failed. We should be designing systems that don't need seatbelts and don't care if user decides to slam into a tree at 100km/h. Whole concept of secure driving is just an abstract benefit that gets in the way of enjoying driving.
    • by DMUTPeregrine (612791) on Wednesday March 20, 2013 @06:03AM (#43221915) Journal
      No, he's saying that we should be adding seat belts and anti-lock breaks and eventually self-driving cars to eliminate the need for the user to focus on safety in driving. He's arguing that the safety should be built into the system, and not rely on the judgement of the user. That's the exact opposite of your example.
      • by dinfinity (2300094) on Wednesday March 20, 2013 @07:24AM (#43222225)

        No. TFS is a terrible representation of TFA.

        This is a more fitting excerpt:

        The whole concept of security awareness training demonstrates how the computer industry has failed. We should be designing systems that won't let users choose lousy passwords and don't care what links a user clicks on. We should be designing systems that conform to their folk beliefs of security, rather than forcing them to learn new ones.

        Even though TFA is pretty crappy itself with its myriad of bad analogies, the idea of trying to craft effective simplified 'folksy' models makes sense. My favourite metaphor for internet security is regarding the internet as a square in a foreign city center. It gets the message of what to trust and what not across a lot better than trying to explain Javascript, cross-site scripting, or what an executable is.

        In addition to this approach to raising security awareness, a case is (sort of) made for designing systems to support users in security related decisions in a way consistent with the above. I'd say that a green colored address bar in a browser is an example of how to do it the right way and the blanket statement 'this file may harm your computer' one of how to do it the wrong way.

      • And Schneier isn't asking for companies to stop teaching their drivers to drive safely before the seatbelts, airbags, and automatic cars are ready - he's just outlining that as the better goal than only relying on safe driving.

    • by Anonymous Coward on Wednesday March 20, 2013 @06:20AM (#43221993)

      Driving a car is a far more focused task, with more salient dangers. Even without safety training people understand that driving erratically, or at high speeds can be dangerous. Using a computer or the internet is more like watching TV or reading an article and determining if what you're watching is fact or fiction; it requires judgement and motivation.

      Given that many adults don't have these skills and importantly that the effects of failure extend beyond the individual involved what Schneier is proposing makes sense.
       

    • Here's a better car analogy. You're driving down the street on four bald tires, and a guy driving a truck for a tire shop happens to pull up next to you at a red light. The guy remarks on your crap tires, and now you have two choices. You can listen to him because he probably knows what he's talking about when he tells you you're running a serious risk of dying on the highway when one of those tires fails catastrophically, or irrationally ignore him because you perceive that he's just trying to sell you som

    • Have you forgotten about air bags? They are there precisely so that you don't have to remember to use your seat belt...
    • by milkasing (857326)
      That. Every system can only do so much. Ultimately, even the best designed system depends on having people do the right thing, and accept changes that makes the system more secure
      What use is it if you build a closed environment, with restricted access and rely on two factor authentication, if some CxO gives his RSA token and password to his unvetted summer intern to do some trivial task without supervision?
      Is security awareness training the end all of IT security? Of course not. But frankly, it is a tri
    • In many ways computing today is like not having seatbelts.
      Passwords are just not good for security anymore. Most hacks go around them, or just use someones elses password list and give it a shot. or the person just keeps it fairly visible. Passwords are more like Anti-lock mechanism to your breaks then like seat belts. They will prevent some of the minor problems but not help protect in the case of a major problem, and sometimes cause problems where it didn't need to happen.

      The real issue there is little

    • by invid (163714)

      It demonstrates that car industry has failed. We should be designing systems that don't need seatbelts and don't care if user decides to slam into a tree at 100km/h.

      Considering the close to 2 million deaths per year due to automobiles, you could say the car industry has failed by relying too much on individual training and responsibility. Not that available technology gave them much of a choice. The solution, of course, is to completely take humans out of the equation, which Google is working on.

    • by Idarubicin (579475) <allsquiet@hotmail3.14.com minus pi> on Wednesday March 20, 2013 @09:53AM (#43223223) Journal

      It demonstrates that car industry has failed.

      I would say that the car industry had failed if listening to the wrong radio station - tuning 92.3 instead of 92.5, say - allowed a malicious broadcaster to arbitrarily incinerate the contents of my trunk or assume remote control of my vehicle.

    • by delt0r (999393)
      Don't worry, these things will be fixed with driverless cars.
  • Well, duh.. (Score:2, Insightful)

    by Anonymous Coward

    Users can screw up because they are just as human as you. So live with it. Design around it. Make it safe regardless.

    I've only been saying that since, mwah, 1999 or so.

    Policies are OK, but rules that assume perfect compliance to work are really only there to cloak the failure of engineering in some fault tolerance in system architecture and user UI design. Glad someone finally caught on..

    • Sure, humans can screw up, can't the people engineering make mistakes as well?

      Most software designers don't leave security holes in their software by design, one would hope.

  • Obligatory quote (Score:5, Insightful)

    by Krneki (1192201) on Wednesday March 20, 2013 @05:27AM (#43221815)

    A common mistake that people make when trying to design something completely foolproof was to underestimate the ingenuity of complete fools.

    • by gblackwo (1087063)
      -Douglas Adams (And I do not believe the original quote was past tense)
    • Good old Douglass Adams! What's to stop some idiot who we now force into using a strong password from writing it on a PostIt note and sticking it to a monitor!
      • by mianne (965568)

        Yes, but many corporate networks *still* require a user to enter a password containing alpha, numeral, and special characters, and have the passwords expire after 2-3 months. Eventually, the users get the beat down by the boss or IT about writing it on a post-it stuck on their monitor. IT therefore has successfully trained most users to write down passwords in a notebook or a desk calendar. Indeed! The users have grokked the corporate mantra toward information security: Security through Obscurity.

  • Invalid comparison (Score:5, Insightful)

    by Aethedor (973725) on Wednesday March 20, 2013 @05:33AM (#43221835)

    He's comparing security with health and driving to 'prove his point'. Security is not the same as health or driving. So, any conclusion from making a comparison is a false one.

    Second, you don't have to choose between completely ignoring security awareness training and spending lots and lots of money and time in it. There is a very good choice somewhere in between. I agree with him that the information systems have to be secure and shouldn't offer dangerous actions but no matter how secure you make your information system, it will all fail if the user has no clue about what he or she is doing. And giving empolyees a basis level of security awareness doesn't have to cost a lot of money but will still help you prevent a lot of trouble.

  • by tlambert (566799) on Wednesday March 20, 2013 @05:42AM (#43221859)

    I totally agree with Bruce here

    We should be designing systems that won't let users choose lousy passwords

    It reduces the search space I have to look at in order to brute force things, and that's a good thing...

    • by iapetus (24050) on Wednesday March 20, 2013 @06:22AM (#43221999) Homepage

      Sorry, but your approach is inefficient. Since the system now requires users to choose passwords that aren't memorable (and probably to change them regularly as well) a large number of them will have them written down on post-it notes stuck to their monitors. That reduces the search space even more. :D

      • by Loki_666 (824073) on Wednesday March 20, 2013 @08:07AM (#43222403)

        Damn my lack of mod points today. +1

        Force users to chose complex passwords they write them down or learn what the minimum requirement is and create something stupidly simple anyway. Or they constantly forget their complex passwords and are bugging the admins to reset their passwords every 5 mins. Final variant is they use the same complex password for all systems. So, its fairly secure from brute force or random guessing, but once a hacker has one password, he has them all... one password to rule them all etc.

        I've used systems with ridiculous requirements where i've not been able to remember 1 hour later what the hell i used. Something like requiring at least one capital, one number, one punctuation mark, no more than 2 consecutive characters, and no less than 12 characters. I ended up with something like this: Aabbaabbaabb1!

      • by invid (163714)
        Obligatory xkcd [xkcd.com].
      • by delt0r (999393) on Wednesday March 20, 2013 @10:53AM (#43223903)
        And for many people this is more secure. Instead of any script kiddie with a laptop breaking into your email account from anywhere in the world. They have to break into your office first. For 99.99% of us this is not a credible threat.
        • by iapetus (24050)

          That would be the 99.99% of us whose offices are never cleaned, have no windows, and have rigorous security preventing anyone who isn't cleared from entering the building?

          • by delt0r (999393)
            So in this threat model where they can read stuff off/in your desk, but won't say steal your wallet or computer or whatever? Or read your trash? Also a few cleaners is a *lot* less people than the entire connected internet. Also they are not known for their hacker skills.

            Consider the threat model. Written down passwords are better for many people. Even BS says so. So it must be true.
  • by Anonymous Coward on Wednesday March 20, 2013 @05:45AM (#43221869)

    Security Awareness training is a tick the box exercise most companies do to get auditors off their back.

    Apparently, users are supposed to be "trained to recognise phishing emails and other Internet frauds". IT has enough trouble these days trying to recognise them, and somehow our ordinary users are supposed to recognise them too?

    Users have to be "trained to pick good passwords". This should be system designed to prevent users from picking bad passwords in the first place.

    Users should be advised to "pick strong passwords and change them regularly". Two contradictory statements, no-one can remember a new complex password that changes regularly unless they write it down. Oh, users should be told "not to write down passwords".

    Awareness training is pushed because there are a number of so-called "security consultants" who have no real technical skills, yet have made a living pushing this snakeoil. They unfortunately are also good self-promoters and have the ear of regulators and auditors.

    If you are relying on security awareness to protect your infrastructure, you're screwed. Most users don't care, and even those who do care cannot possibly be expected to remain aware of the myriad of threats that exist. Often, their attempts to remain secure achieve the opposite purpose ("I heard you tell me email was insecure, so I use dropbox now to transmit files to customers").

    What galls me most is I have to spend part of my IT budget this year spending money on this stupid notion because it is expected by auditors. This means I have to cut back on the security projects that make a real difference.

    • You said: Users should be advised to "pick strong passwords and change them regularly". Two contradictory statements, no-one can remember a new complex password that changes regularly unless they write it down. I di$agr33WithY0uWh0leH3art3dly&&.
    • Security engineering and awareness training aren't mutually exclusive: what's needed is a pragmatic balance between the two. Never try to use technology to solve people problems.

      For instance, fraud detection is something people always will have an edge in, thanks to several millennia of social evolutionary pressures. But they won't be infallible, and will be more efficient if technology can filter out the worst distractions. Neither is complete without the other. The question is where we get the most bang

    • by thegarbz (1787294)

      I'm interested to know how you design a system that works around the weakest link in security being the user? Every system that has been envisaged has been design to authorise the user. The attacks on security aren't attacks on security but rather an attack on the common sense of the user to not let others in.

      The only way around this system is to prevent the user from being able to log someone else in, and the typical way that happens is at the incredible inconvenience to the user, i.e. tying his login to t

    • by mcgrew (92797) *

      Oh, users should be told "not to write down passwords".

      I disagree, they should pick a strong password, write it down, and keep it somewhere secure, like their wallet.

      • If it's a password that they use every single day, any user with a brain larger then a goldfish can remember it after a week or two. Those who can't - should probably be working the checkout line at the local grocery store and not handling sensitive data.

        However, this means you should not be requiring them to change the password without good cause. Weekly/Monthly/Quarterly resets are not a good enough reason to force a password reset.

        We give our users the instructions to put the password on a folded s
    • Apparently, users are supposed to be "trained to recognise phishing emails and other Internet frauds". IT has enough trouble these days trying to recognise them, and somehow our ordinary users are supposed to recognise them too?

      That's because your users should have the one thing that the best malware filter/firewall/virus scanner hasn't: Common sense!

  • Not news (Score:4, Informative)

    by Tom (822) on Wednesday March 20, 2013 @05:46AM (#43221873) Homepage Journal

    Nice to hear it from someone with a big name. I'm an IT security specialist, giving talks every now and then, and I've basically been saying the same for years now. It is one of the topic where I face the most fierce opposition, usually from (big surprise) consultants and other people who offer security awareness trainings.

    I've been doing this for so long that I can sum it up in one sentence by now: If security awareness trainings would work, don't you think we would be seing SOME effect after doing them for 20 years?

    Of course, I am exaggerating a bit to make the point. I do think that training to make users familiar with specific security protocols is useful. I don't think general security awareness is. There is a plethora of reasons why it's a failure, from the context-specific nature of the human mind to the abstract level, but the main reason is that we have enough experience to show that it really is a waste of time and resources. Putting the same amount of money and effort into almost any other security program is going to give you a better ROI.

    • by gmack (197796)

      While I agree that the system should do what it can to prevent intrusions and bad passwords, there are some things that users are just going to have to know not to do such as not writing their passwords on a sticky note or replying to some random email with their bank login or social security number.

      • by Tom (822)

        And I believe that even these "simple" seeming user mistakes have underlying root causes.

        For example (because I gave a talk about that, I've done the research) - why do people write down passwords? Could it be, at least in part, because we ask them to remember crap like [|+DU%:,9}v2 -- actual output from an online password generator!

        Nobody who has other hobbies can remember that, much less 20 of those (because we also tell people to not re-use passwords).

        Solution: Write it down.

        Here's how I solved this prob

    • by Bongo (13261)

      Maybe a picture is, user awareness is the very last line of defence. If the terrorist is on the plane and armed, the passengers are the last line. But it was the failure of everything before that point that's to blame. Gee we really should increase passenger awareness of how to spot terrorists -- he has a big beard, no wait he doesn't have a beard, no wait he's dressed ordinary but is reaching into his bag, no wait he's taking off his shoe, no wait he's actually a she and young, etc.

      We all know there are "b

    • Re:Not news (Score:5, Insightful)

      by serviscope_minor (664417) on Wednesday March 20, 2013 @07:52AM (#43222347) Journal

      Nice to hear it from someone with a big name. I'm an IT security specialist, giving talks every now and then, and I've basically been saying the same for years now. It is one of the topic where I face the most fierce opposition, usually from (big surprise) consultants and other people who offer security awareness trainings.

      Of course, I am exaggerating a bit to make the point. I do think that training to make users familiar with specific security protocols is useful. I don't think general security awareness is. There is a plethora of reasons why it's a failure, from the context-specific nature of the human mind to the abstract level, but the main reason is that we have enough experience to show that it really is a waste of time and resources. Putting the same amount of money and effort into almost any other security program is going to give you a better ROI.

      I am honestly surprised by this. I really do not see how you can avoid security awareness training.

      Forcing the users to pick non-lousy passwords is simply not enough if the users will happily repond to an email from email.admin@scamsite.ru (Re: YO'RE ACCOUNT IS SOON EXPiRE!1) with their username, passowrd, SSN, date of birth and random security questions.

      OK, that's a bit of an exaggeration, but users do happily respond to really poor phishing attacks and will tell their password to someone they assume is an email admin because the email comes from an account with admin in the name.

      Security is as much as a social problem as a technical one, and you simply cannot ignore the social aspect. And for that people have to have some understandings of basic security protocols: e.g. the admins will never ask for your password.

      In fact, I would go as far as to say that security is very much a social problem. Technology will only get you half way. If your system is not easily hackable from the outside, you have reached the minimum standard. The trouble is that "social engineering" is really easy.

      Even if you switch to 2 factor authentication it won't help enough: if the user believes that an admin has contacted them, then they will do ANYTHING to help that admin and will even follow detaile dinstructions to bypass as much security as possible. For some reason people being scammed are way better at following instructions than when they're not being scammed.

      As someone else quoted earlier: never underestimeate the ingenuity of complete fools.

      • Re:Not news (Score:4, Insightful)

        by Tom (822) on Wednesday March 20, 2013 @09:22AM (#43222951) Homepage Journal

        I really do not see how you can avoid security awareness training.

        To use a metaphor from my most recent talk: If you need to write "push" and "pull" on your doors, then they are designed badly. Same for security awareness. Improving the security tools is better than telling people how to safely handle broken tools.

        but users do happily respond to really poor phishing attacks

        Yes, they do.

        And all the security awareness training we've been doing for two decades has made which sustained change, exactly? That is the point. Not that we don't have a security problem, but that security awareness trainings are not a good way to solve them.

        Security is as much as a social problem as a technical one, and you simply cannot ignore the social aspect.

        I don't. On the contrary, I believe the security awareness training advocates do. They think that just telling someone solves the problem, when overwhelming evidence to the contrary proves them wrong.

        I believe the solution lies in asking a) why and b) how the users break security protocols and then tackling those issues, instead of telling them "don't do it" and thinking you've solved the problem.

        As someone else quoted earlier: never underestimeate the ingenuity of complete fools.

        I believe calling the users dumb and fools and "lusers" and such is a cop-out. It's an easy pseudo-solution to avoid the real problem, which is not so trivial. Redesigning your concepts, protocols, hardware and software to be fail-safe (or idiot-proof, if you want) is hard. Much harder than shoving everyone into a room to listen to a boring lecture, 90% of which they'll have forgotten as soon as they're out the door.

        • well I suppose the real question should be, what tool should be used to protect from the hundreds of weak vectors in a company's users. Requiring stronger passwords, or forcing regular changing etc... increases the likelyness of post it notes etc... and well phishing? we are pretty much SoL for, the only thing I can possibly think of for phishing, would be an IT organized internal phishing test. IE the IT officials intentionally permit an account they created, say "companyadmin@gmail.com" to send a mass e-
        • I believe calling the users dumb and fools and "lusers" and such is a cop-out.

          The full quote is more or less: the trouble with making something foolproof is that one underestimates the ingenuity of fools.

          It's not so much calling users fools as calling into question the concept of foolproof. Users can and will do all sorts of strange things half of which you would never imagine. It is very hard to defend against things which you cannot think of.

          Redesigning your concepts, protocols, hardware and software to

    • Telling people what they need to be doing, and then never punishing them won't work. If people start getting fired for failure to follow security practice, it would stick more. And communicating good security practice doesn't require a consultant or speaker. There are videos out there; examples of what to look for. I agree hiring a big name to train everyone at your company who uses a computer is a waste of funds better spent, but ignoring the human element is willful ignorance. It is disingenuous for

  • While I agree with him to a certain point, there is a limit to how far security can be imposed on a user. Security always introduces overhead to doing a job. A user will accept that to a certain point if the reason is explained, however there is a point where putting more onerous security restrictions on a user is counter productive.

    For example, if the IT policy is that passwords must be changed every week, be 80% different, be a combination of letters, numbers, upper and lowe case and cannot contain any pa

  • I think I understand his point, and I agree in part, but I also disagree. I think security awareness is good, but I think relying on it is bad.

    First of all, I think there will always be situations where the security technology fails - social engineering is an obvious example - and ultimately the final barrier is the security smarts of the target. Anything which raises that barrier, even a little, is a good thing. The question, obviously, is whether the benefit is worth the cost of the training.

    And secondly

  • by Chrisq (894406) on Wednesday March 20, 2013 @06:09AM (#43221939)
    Its about things like the call-centre operator who gets a call saying Can I check my balance ... yea hear are the details... and while you are on can you tell me my wife's balance too. Its about the shop assistant in a phone shop who has someone asking for a replacement for a phone they just flushed down the toilet - they're desperate, miles from home and have no ID on them but expect an urgent call from their aunt in hospital so need a replacement on the same account. Its about the middle level IT manager who gets a call from a very annoyed board director who says his password doesn't work and you better reset it now or head will role. Its about not lending your access card to a visitor so they can go to the canteen and you are too busy to take a break.

    Security training is very important, but it needn't concentrate on systems.
    • Its about the middle level IT manager who gets a call from a very annoyed board director who says his password doesn't work and you better reset it now or head will role.

      Similar situation in a previous job: I was a tech for a secondary (high) school. The Headteacher (Principal) called while off site and asked for the local admin password for the laptop as he'd forgotten the password he'd set on the user account he was given. I, being an employee, gave it to him and thought nothing of it.

      The next day I explain the situation to the network manager and he goes MENTAL at me about data security and all manner of other policies, stating that the local admin password was also use

  • The worst thing (Score:5, Insightful)

    by drolli (522659) on Wednesday March 20, 2013 @06:12AM (#43221955) Journal

    is that many companies are too lazy to even get the most fundamental things right. Why on earth would you not distribute your own CA fro your internal web services? Do you really want to train yout employees that clicking on the "accept certificate" button is an everyday thing to do? Why dont you manage to get the security settings in a way that "content from an unknown source" is not "content from you own file server"? how the hell shoud the office assistant know that this is dangerous and theoretically unusual if in everyday work the instruciton says to accepti it several times per day? why yould you enable macros in office documents for no reason and not sign the document?

    All security training, hints like "be careful when opening attachements from unknown sources" are anihilated if you train your employees everyday to do the exact opposite thing, namely constructing worflows and selecting toolsets which are requiring exactly that.

    My 2 cents on this

    a) If there is a "do not use/do x" in your security education, then something is wrong. The right way is "use/do y"

    b) Construct your standard processes in a way that your users/employees can work secure *AND* efficient.

    c) If there are new tools and your users demand these, keep an open ear! Note to the management: reserve some bugdet for it. If users find dropbox an efficient service, the right way is not to forbid it but to ask yourself why you cant provide any decent file sharing on your own servers.

    • by gnalre (323830)

      James Lyne [sophos.com] once said that he changed to standard security certificate dialog to say "by cllicking this you kill 1000 kittens".

      No one raised an issue, not even IT.

      Which goes to show how pointless the dialog is and how far it goes in adding security

      • by drolli (522659)

        the dialog is pointless becaus nobody does it right. The people would pretty quickly learn that it does not kill 1000 kittens in average.

        Correct would be to write: in one of hundred times, clicking on this will cause a malware infection. If it does, it department will send 1000 killed kittens via in-house mail to your table. That's 10 kittens in average per click. Good luck.

        I am sure after one or two times burying the desktop of some office assistant under dead kittens and posting it on the companies homepa

    • d) if you set up security policies, ENFORCE THEM!

      Or Hire "security aware" people and trust on them.

      That's related to your point where employees are used to processing files from untrusted sources, but receive training not to do so.

      Tools is a good example for that. 2 out of 3 companies I worked for had a whitelisted set of tools you were allowed to install. It never contained either a the full set of tools you needed to do your work, nor the newest versions. So you were completly left in the dark if you were

  • These are invariably give and take.

    People simply need to be smarter. They aren't. No amount of precautions which do not inhibit functionality will help. People want to do what they want to do. The weak link is almost always the people and you can't control them with computers. You can limit what they do, but now you're encroaching on usability.

  • by AdmV0rl0n (98366) on Wednesday March 20, 2013 @07:00AM (#43222131) Homepage Journal

    He is correct. User training is largely a waste of time, and both in development, and deployment, the systems are not designed or setup for security. So yes, users clicking a link is not safe, and it should be. Users opening an application and reading data should be safe, but isn't.

    These problems have to be engineered out. They cannot be socially controlled out, the audience has neither the inclination, knowledge or interest in resolving this. And even after training, once its established how you've trained your monkeys, a new method will be established that undoes the training.

    The whole industry is still in its infancy. Its building bridges that are made from cardboard, and without any form of certification or regime. This will only be resolved when it becomes apparent that software providers cannot ship things like 'our software cannot be held accountable for anything, have a nice day'. Nobody in the world making bridges gets away with 'if this bridge falls down, we are not accountable'.

    The Adobe and Java scenario is exactly like this. Both are wholly unaccountable, and yet frankly directly responsible for perhaps billions upon billions of dollars of data loss, theft, security breaches, and so on.

    There is no_fundamental_reason why people should even bother to make their software secure - so they only ally a baseline effort to the task. Until this is addressed, the rinse, shampoo, rinse, shampoo will repeat. And its actually why the security landscape is degrading. Things like Metasploit may have seemed to help. But fundamentally the white hat hacking and info security folks have ultimatly not helped. Its only highlighting how bad things are, putting guns in hands that should not have them, and making things globally worse. The vendors have not changed by very much.

    • by Inda (580031)
      So what happened to "Security: it's not a piece of software or hardware. It's a process."?

      It's a process and that process must be taught.

      If users are taught that giving their passwords away is wrong on every level, even to IT professions who are upgrading their work PC (happened!), and yet they still do it, they need more training. If that training involves sleeping rough for a week because they lost their job because they're too stupid to learn and follow a simple rule, so be it.
  • I read the points he is saying, and I respect Scheier, especially in terms of the work he did earlier.

    He makes some interesting discussion points, but it mostly seems to boil down to that we have to fix things from an engineering perspective, and let the rules of thumb about security spread by osmosis.

    I would say, while there are still gains to be made at the engineering level, for many organizations serious about security, the low hanging fruit has already been taken care of mostly. Going further would oft

  • Security training is a necessity, but its almost always done incorrectly. As much as it shocks us there are still hordes of workers who have no idea what spearphishing is or why anti-virus doesn't wholly protect their computer.... My belief is that once a year and at start date of the employee you have an online brief going over basic security/what to look for, reinforce the fact that the network and individual systems are monitored and let them know what the penalties can be for not practicing what they ar

  • by JSC (9187) <[john] [at] [coxen.com]> on Wednesday March 20, 2013 @07:49AM (#43222337)
    And what do I see just to the right of the lead-in about how Bruce Schneier says security awareness training is a waste of time? An ad for Kevin Mitnick's Security Awareness Training.
  • It's all about how you present the security awareness. Start by asking a simple question: "Do you care about your profile/account/access?" Then keep it simple from there. Just one or two one-lined paragraphs or bulletpoints, or a video lasting max 30 seconds. Use emotions and feelings and pack it all up with kittens and upbeat indie music. That is how you get it into the skulls of the mediocre masses.
  • This point of view smacks of "if we just worked a bit harder/longer we'll be able to build a perfectly secure system".

    It aint gonna happen. Not for a system as sprawling as the internet, not for a system with as complex requirements as an operating system.

    The more you know about security, the easier it seems to do what is required to improve security - but you have to have very tight control of platforms to be able to follow through on implementing that security. And tight control prevents innovation.

  • systems that don't care what links a user clicks on

    Definitely. As far as is possible we should stop users accidentally doing something stupid by making sure that they can only do the right things. This is not always practical though as for a start there are factors outside our control (for the password example we can't control how the user might store and potentially distribute their credentials in other services (password managers) or in the real works (bits of paper)).

    systems that won't let users choose lousy passwords

    I can't see a way that could be implemented which is not essentially an attempt to enume

  • What I don't get... is why we even still have passwords. Why don't we all have Read only USB security dongles that confirm our identity? For banks, for work, for your medical records? The rest of the sites... Slashdot for example, who gives a crap. But a universal HARDWARE standard for sensitive info seems like a rather simple solution to do away with all this password nonsense.

    • by TeknoHog (164938)

      Why don't we all have Read only USB security dongles that confirm our identity?

      Because it's probably easier to steal your identity dongle than find a good wrench for $5.

  • The security of a computer is only as strong as its weakest link, and that weakest link is almost always the 6 inch gap between the ears of the computer user. And because the compromise of an entire network is easier to achieve once a single computer on the network is compromised, that makes the security of the corporate network only as strong as the weakest link... and every time you think you have found your company's dumbest user, you find another one who makes your previous candidate look like an IT gee

  • Because the problem with IT security in most organizations isn't training the rank and file, or building more-secure systems. The problem is that you can have all the IT policies in the world (coding standards, complex passwords, granular access), if they're not enforced with real consequences for ignoring/avoiding them, then it's all useless. Case in point: I once worked in a Fortune 500 company that had a pretty strict password policy (change password every 90 days, upper/lowercase/special characters r

  • Other wastes of time:
    Driving School
    Hunter Safety Class
    Swimming Lessons
    First Aid Course
    Condoms

  • ...he said this:

    Microsoft has a great rule about system messages that require the user to make a decision. They should be NEAT: necessary, explained, actionable, and tested.

  • Here is what I consider good training:

    1) Tell people about social hacking/engineering.

    2) Tell people about common tricks like infected flash drives being dropped in parkways, calling and requesting a password, etc. etc.

    3) Warn them that sometime during the year, YOU WILL TRY TO HACK THEM.

    4) Tell them if they fall for the hack, they will not get a bonus that year. (It helps if you actually give out yearly bonuses - even $100 will be fine)

    5) Actually test them two months later.

    6) If they fail the test, send them an email and require that they take your 10 minute class again.

    I have found that if you do this, then people learn. The threat of losing even $100 bonus a year is more than enough to get people to stop being stupid.

    Note, this will not stop people from downloading things from the internet and/or playing games. But it will stop them from picking up random flashdrives and using them - as well as stop them from giving out passwords over the phone.

HOST SYSTEM NOT RESPONDING, PROBABLY DOWN. DO YOU WANT TO WAIT? (Y/N)

Working...