[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ISN] Human Errors Fuel Hacking as Test Shows Nothing Stops Idiocy

Forwarded from: "Jay Dyson, CISSP" <jdyson (at) jpl.nasa.gov>

[PGP signature likely munged from copy and paste.  - WK]

Hash: SHA1

Hello folks,

I gave a keynote address on this very topic late last year at Penn State's security conference. Regrettably, the attitude among many IT personnel toward user mistakes continues to be demeaning. Conversely, we IT personnel are often seen by users as elitist, condescending jackals. And trust me, we live up to that reputation...especially when we go on record calling our target audience "idiots."

I won't disagree that user misconduct is frustrating. We train them and we push them to keep security in mind in everything they do. Yet for all our efforts, users still fall victim to the allure of easy trappings and innate human curiosity. What's more, as the article illustrates, even we security mavens are not immune to falling for the ruse.

The real problem here lies in prevailing perspectives. First, we cannot realistically expect the average user to look at the world the way we do. We security types are a different animal. We don't just perceive treachery and deception, we *expect* it. Second, we've got the completely wrongheaded view of our users. Like it or not, our users are the ones who ensure that we'll have a job tomorrow, yet we treat them as if they were a curse to our existence. In my view, anyone who's helping me keep a roof over my childrens' heads and food on the table is a valuable ally.

Third, and most importantly, we've got to see our role in not getting through to our users. I personally cannot entertain any absurd notions that my users are idiots when I'm surrounded by Ph.D's. If there's any fault in the system, it's one equally shared by those of us delivering the message. We've got to become more effective marketers than our adversaries. Our attackers are getting through to our users in ways we have yet to rival. Odd as it may sound, we've got to develop and adopt strategies in which we can leverage the same common human proclivities that the attackers exploit, only to our own advantage.

...or we can keep doing what we've been doing for the past several decades: look down our collective noses at users, continue to run around in crisis mode, and count the cost of the losses.

- From where I stand, it seems hypocritical that we demand our users learn from their mistakes when we have yet to do so ourselves.


Jay Dyson, CISSP
IT Security Engineer
JPL IT Security Group
NASA Jet Propulsion Laboratory
California Institute of Technology
jdyson@xxxxxxxxxxxx | 818-397-4960

On Thu, 30 Jun 2011, InfoSec News wrote:


    By Cliff Edwards, Olga Kharif and Michael Riley
    June 27, 2011

    The U.S. Department of Homeland Security ran a test this year to see
    how hard it was for hackers to corrupt workers and gain access to
    computer systems. Not very, it turned out.

    Staff secretly dropped computer discs and USB thumb drives in the
    parking lots of government buildings and private contractors. Of
    those who picked them up, 60 percent plugged the devices into office
    computers, curious to see what they contained. If the drive or CD
    case had an official logo, 90 percent were installed.

    âThereâs no device known to mankind that will prevent people from being
    idiots,â said Mark Rasch, director of network security and privacy
    consulting for Falls Church, Virginia-based Computer Sciences Corp.

    The test showed something computer security experts have long known:
    Humans are the weak link in the fight to secure networks against
    sophisticated hackers. The intrudersâ ability to exploit peopleâs
    vulnerabilities has tilted the odds in their favor and led to a
    spurt in cyber crimes.


Version: GnuPG v1.4.9 (SunOS)


Tegatai Managed Colocation: Four Provider Blended
Tier-1 Bandwidth, Fortinet Universal Threat Management,
Natural Disaster Avoidance, Always-On Power Delivery
Network, Cisco Switches, SAS 70 Type II Datacenter.
Find peace of mind, Defend your Critical Infrastructure.