Saturday, January 8, 2011

User Awareness - Ur doin it rong.

It's heard throughout the security community that user awareness is an important part of a security program, but I think we technical people seem to miss the mark.

We often assume -although nobody actually says it- that if the user only knew the details of a computer system or had more information about how specific threats work that they would automatically become security-minded and less vulnerable to attack.  The problem is that many of us don't know how to talk to normal people.  Because of this limitation, we either give up immediately, or, if we do get off our butts and put together a user awareness program it tends to be the type of talk that we would enjoy but dumbed down for "the peasants."

This is a grave mistake on our part.  Behind their backs, IT professionals say that users are stupid (which is not true; they may do stupid things but so do we all) then we expect them to sit through a two hour seminar and come out as security samurai, ready to defend the corporate network with their newly discovered knowledge. 

We simply don't realize how boring we are to anybody but other geeks.

The average user should not have to know the details of the latest virus outbreak or how a browser-based java exploit can migrate to the winlogon process, or even how malicious apps can steal their information on Facebook.

We should be teaching users a few basic things that generally hold true and how to apply those as a rule when interacting with a computer system; essentially, being aware that there could be a threat is all that's necessary.  

Many of these rules translate to real life, so they are pretty easy to grasp and apply. 

1.  There are bad people in the world.
2.  You may not think you have anything they want, but they can use you (with or without your knowledge) to get to other people or things that do.
3.  There is no such thing as a fully secure system (no matter how much Apple tries to hide that fact behind marketing lies).
4.  There is no such thing as a free lunch.  Nobody is giving away a free iPad or trips to Disneyland just for going to a website, forwarding an email, etc.
5.  It is simple to pretend to be someone else online.
6.  You don't have to be untrusting or paranoid.  As Ronald Reagan said about Soviet relations:  Trust, but verify.
7.  Most malware comes through in links and attachments in email or on chat rooms, blog comments, Facebook posts, etc.
8.  When in doubt, don't click; ask somebody.
9.  Here's why and how to create a strong(er) password that's still easy to remember (enter demonstration / explanation here).
10.  Learn what your antivirus and operating system actually looks like when it pops up a message so you're less likely to get fooled by scareware or fake error messages. 

There are several more that we could come up with, but that's the general type of "awareness"  that is necessary for the end user.

Sure, it's dramatic to demonstrate a Facebook hack to show pictures you shouldn't be able to see.  Sure, it's cool to show how a link in an email can take over a user's computer.  

But in case you hadn't noticed, the users' eyes glazed over the moment you said the word "malware."

No comments:

Post a Comment