Users will click yes to anything, just so they can do what they want. So it is easy to socially engineer them into saying yes to any prompt, oblivious that they are allowing malicious code to run. As a result, security awareness training starts to feel like the fun police. “Don’t run with scissors!” “Don’t stick your tongue in an electrical socked” “Don’t jump off the roof!”
Dave Aitel knocked over a hornets nest this week by suggesting in a CSO Online article that you shoudn’t train employees for security awareness. This led to many uncharitable remarks across the internet (and many clueless remarks also).
Full Disclosure: I went to the same high school as Dave, he was friends with my little brother. I’m predisposed to like him.
This discussion of the worthiness of security awareness training reminded me of a faceoff between Marcus Ranum and Bruce Schneier in the April 2006 issue of Information Security Mag.
Marcus’ position was
- There are always new inexperienced people ready to click “ok” to run the malware
- Managers still purchase things without a concern about security until it inevitably blows up in their face
- The most effective tool for teaching users is the pain of financial loss or the penalty of reloading the operating system. People learn from their mistakes when you let them make them.
- Educating users is futile
- It isn’t generational. New technologies, new scams.
- When a USB autoruns whose fault is it? The user who put it in or the admin who allowed autorun? Better to fix it once as a security control than to constantly train not to do what you do with USB drives.
I find myself wondering if Marcus and Bruce received the same catcalls. Also have their views changed over time.
Dave Aitel asks “does the RSA phishing attack prove that training is needed or the opposite?” The bad guy just needs to find one person. You could run anti-phishing drills until employees refuse to open their mail client ever again, but there is still going to be one.
Aitel says that it is possible to secure the environment without teaching the employees to be secure. That may be a position that is designed to inflame, or not. I’d put it a different way. You’re doing it wrong if you’re teaching your employees to be secure instead of
- Testing boundary systems
- Monitoring intrusions and data exfiltration
- Isolating and protecting critical data
- Internal segmentation
- · Monitoring access rights of users
- · Incident response
- · Security leadership.
It doesn’t have to be an either / or proposition. But money and time are not unlimited so often prioritization needs to occur. I think I agree, I’d rather prevent desktop infections by removing admin rights than constantly drill into the user not to click on things. Security controls can have a bigger bang for the buck. Would you teach the user to run Windows Update or implement a patching product?