The security of computer systems and networks is a fairly frequent topic of conversation here, and on many other sites (check out some of the Useful Links, in the right-hand sidebar). Many of these conversations, of necessity, are filled with technical details about vulnerabilities, mitigation steps, and software patches; and all of these are important. But that should not lead us to forget one of the most basic vulnerabilities in the whole security process: the people that implement and use it.
The Internet Storm Center, run by the SANS Institute, has recently featured a couple of diary entries, written by members of their team of volunteer incident handlers, that are useful guides to re-focusing our attention. The first, written by Kevin Liston, is titled Vulnerability Advisory: User clicks on something that they shouldn’t have (CVE-0). Although the tone is a bit tongue in cheek (it reminded me of PEBKAC, the old system admin’s shorthand for a user that has performed a successful surgical strike on his foot — an acronym for Problem Exists Between Keyboard And Chair), I think it is a good and sensible discussion of how to approach the challenge of making users active participants in your systems’ security. For starters, though it is common for system and security admins to disparage their users, the reality is that no one is good enough to catch everything.
Remember that everyone is vulnerable, even you, dear reader. There will come a time when you haven’t had your morning wake-up juice, or you are distracted, or one of your friends/family/clients gets compromised and they send you a message, or you become specifically targeted, then you will likely click on something that you shouldn’t have.
Those responsible for security (the defenders) must resist the temptation to make more and more draconian rules:
If the defender deploys too many rules, or too restrictive policies, the users (in their bounded rationality) will organize “solutions” that circumvent these controls so that they can get their jobs done. In the worst cases, this can turn the users hostile to the defenders. When these “solutions” and workarounds are discovered, you have to resist the urge to clamp down harder, because this is a clear sign that your policy lever is already pushed too far …
Equally, the defenders must avoid infantilizing the users, and making them wards of the security function:
Another common result of this conflict between defenders and criminals is that the defenders assume more and more control from the users so that they eventually they become wards of the defenders. This works for a while as the team deploys new tools and processes. Unfortunately these efforts only serve to mask the root cause of the problem
Security incidents will occur; they should be used as an opportunity for everyone involved to learn something.
The second, shorter article is by Chris Mohan; it is focused on strategies to help all of the folks involved to understand what IT security is about, and why it’s important.
The IT security community needs to get everyone, including itself, to good quality, relevant talks, presentations and debates on what’s happening in and around IT security.
The basic argument, which I think is eminently sensible, is that people in IT, management, and user organizations should have regular training and updates in what is happening in IT security.
Compared to the situation a decade ago, I think we have made progress. The typical user is much more aware of the necessity of making timely software updates and patches, for example. But we still need to work on raising awareness.