[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [ISN] Human Errors Fuel Hacking as Test Shows Nothing Stops Idiocy
Forwarded from: "Jay Dyson, CISSP" <jdyson (at) jpl.nasa.gov>
[PGP signature likely munged from copy and paste. - WK]
-----BEGIN PGP SIGNED MESSAGE-----
I gave a keynote address on this very topic late last year at Penn State's
security conference. Regrettably, the attitude among many IT personnel toward
user mistakes continues to be demeaning. Conversely, we IT personnel are often
seen by users as elitist, condescending jackals. And trust me, we live up to
that reputation...especially when we go on record calling our target audience
I won't disagree that user misconduct is frustrating. We train them and we
push them to keep security in mind in everything they do. Yet for all our
efforts, users still fall victim to the allure of easy trappings and innate
human curiosity. What's more, as the article illustrates, even we security
mavens are not immune to falling for the ruse.
The real problem here lies in prevailing perspectives. First, we cannot
realistically expect the average user to look at the world the way we do. We
security types are a different animal. We don't just perceive treachery and
deception, we *expect* it. Second, we've got the completely wrongheaded view
of our users. Like it or not, our users are the ones who ensure that we'll
have a job tomorrow, yet we treat them as if they were a curse to our
existence. In my view, anyone who's helping me keep a roof over my childrens'
heads and food on the table is a valuable ally.
Third, and most importantly, we've got to see our role in not getting through
to our users. I personally cannot entertain any absurd notions that my users
are idiots when I'm surrounded by Ph.D's. If there's any fault in the system,
it's one equally shared by those of us delivering the message. We've got to
become more effective marketers than our adversaries. Our attackers are
getting through to our users in ways we have yet to rival. Odd as it may
sound, we've got to develop and adopt strategies in which we can leverage the
same common human proclivities that the attackers exploit, only to our own
...or we can keep doing what we've been doing for the past several decades:
look down our collective noses at users, continue to run around in crisis mode,
and count the cost of the losses.
- From where I stand, it seems hypocritical that we demand our users learn from
their mistakes when we have yet to do so ourselves.
Jay Dyson, CISSP
IT Security Engineer
JPL IT Security Group
NASA Jet Propulsion Laboratory
California Institute of Technology
jdyson@xxxxxxxxxxxx | 818-397-4960
On Thu, 30 Jun 2011, InfoSec News wrote:
By Cliff Edwards, Olga Kharif and Michael Riley
June 27, 2011
The U.S. Department of Homeland Security ran a test this year to see
how hard it was for hackers to corrupt workers and gain access to
computer systems. Not very, it turned out.
Staff secretly dropped computer discs and USB thumb drives in the
parking lots of government buildings and private contractors. Of
those who picked them up, 60 percent plugged the devices into office
computers, curious to see what they contained. If the drive or CD
case had an official logo, 90 percent were installed.
âThereâs no device known to mankind that will prevent people from being
idiots,â said Mark Rasch, director of network security and privacy
consulting for Falls Church, Virginia-based Computer Sciences Corp.
The test showed something computer security experts have long known:
Humans are the weak link in the fight to secure networks against
sophisticated hackers. The intrudersâ ability to exploit peopleâs
vulnerabilities has tilted the odds in their favor and led to a
spurt in cyber crimes.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (SunOS)
-----END PGP SIGNATURE-----
Tegatai Managed Colocation: Four Provider Blended
Tier-1 Bandwidth, Fortinet Universal Threat Management,
Natural Disaster Avoidance, Always-On Power Delivery
Network, Cisco Switches, SAS 70 Type II Datacenter.
Find peace of mind, Defend your Critical Infrastructure.