Security Education - Common Sense Turned Off By Default

By Larry Seltzer  |  Posted 2003-04-30 Print this article Print

Your first line of defense is not your firewall or any other security product, it's your users. Are they selling you out for trinkets?

Theres a security show running in London right now called Infosecurity Europe 2003. As a promotional tease, the organizers of the event arranged a frightening little survey. They went to Londons Waterloo (train) Station and looked for people in business dress with briefcases and other trappings of business and asked them for their computer passwords from work.

75% (gasp!) of respondents gave the password without any further prompting. 15% more were tricked into providing it through a simple course of social engineering, the kind you might do to anyone in a business into which you want to hack. For instance, some people were asked how they chose their password. A self-identified CEO said that he used his daughters name, and then gave his daughters name when asked. Amazing.

Oh, and as a reward for betraying, wittingly or otherwise, their companys security, respondents received a free pen. (I would have held out for at least a t-shirt!)

Horror stories like this actually make me wonder about the wisdom of single sign-on systems. In a way they just allow your users to compromise even more of your systems. But the answer cant be to make things harder or keep them obscure. Clearly the correct answer is to get users to do the right thing.

Of course, security is more than just passwords. The Waterloo survey also found that 75% of workers would look at the company salary database if they mistakenly got access to it and 38% would pass it around. So much for doing the right thing.

And this isnt the only recent example of minimal security competence. The newest mass-mailer worm, Coronex, makes reference to viruses and SARS in the subject line and invites the reader to launch the attached executable, named sars.exe or virus.exe or something similar. Putting aside for the moment the fact that all recent and most old versions of Outlook and Outlook Express have been patched to prevent such mass-mailings for years, I ask still wonder who by now does not know that you dont run such a program under such circumstances?

Some people say that problems like users not taking their passwords seriously are a matter of education, but Im not so sure. People who would give their password to a stranger at the train station would surely give it to someone who called up at work and claimed to be from tech support. Have they not been told that this is a bad idea, or do they just not care?

I tend to agree with Tamar Beck, Director of Infosecurity Europe 2003, that "This survey proves peoples loyalties are not with their employer, they put themselves first. Employees are sometimes just naïve, poorly trained or are not made aware of the security risk. Employers therefore need to create a culture of protecting their information & reputation with policies on information security backed up with training to support the security technology".

There is no alternative to education for problems like this. Your employees are the guardians, like it or not, of your companys proprietary information. If you dont get the message out to them that protecting that information is their job and how they can do that job, they might just conclude that its no biggie and so what if her ex-con boyfriend uses her computer now and then? Theres a lot at risk with a security-ignorant workforce.

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel