views:

179

answers:

6

Firstly: this may be a not-programming-related-question.

However: As a programmer who is very concerned about security, this is a question which weighs heavily on my mind, and directly affects my activities as a programmer.

The weak point in my systems is nothing about the systems themselves, but rather the users. So, what I need to do is to educate my users about security.
Things I would like to tell them about include:

  • what the cost of a breach could be
  • the computers really can't solve the problem (it's down to people)
  • phishing / spear-phishing
  • some awareness of the kinds of vulnerability that are out there
  • why it can be disastrous just to click a nastly link in an email

Do you have any tips on how to educate users in this stuff?
In particular (bearing in mind that I am but a lowly grunt), any helpful suggestions about how to get senior people intersted in real-world solutions (not just rhetoric)?

Is there anyone who is an IT security guy (or gal)? I would really appreciate any war stories or real-life efforts from an experienced source.

+2  A: 

I'd suggest you read Marcus Ranum's article on security before considering how to "educate" users about security (it's a bad idea to give the users enough power that they should need to worry about security in the first place).

Jeff Hubbard
I would highly disagree with that. Look at all the phishing scams for getting people's bank account login ID/password. The only way to defeat them would be to not give the user access to their own account. That is not an acceptable limitation you can put on the user.
Kibbee
I also disagree, a user will can always breach security as far as there authority allows. Giving away there password, holding a door open for someone with there hand full, removing confidential material from the office. The more they are educated, the more they will be secure.
David Waters
It would be really great if you guys who disagree could post some suggestions as answers. Thanks!
AJ
To answer your guys' disagreements, consider this: remove the credential verification step and place it into the hands of something the user *has* instead of something the user *knows*. That removes all doubt as to whether or not the user is who they say they are.
Jeff Hubbard
+1  A: 

You need to make them part of the solution. Users don;t care about security because "that's the IT department's job". After all, you restrict their access, make them run AV and security tools on their computers, etc etc. So its only natural that they think you have it covered.

Which, obviously, you can never achieve.

So, get them involved. One way would be a 'naughty hat' where the last person to fail a security test (something like a fire drill) would get a humorous-but-important-message token that marks them out (make sure its designed to raise awareness, not pick on people). That tells people they need to be aware of the problem, or they'll get the hat.

You can then try to hack them in various safe ways. Hopefully, if someone actually got hacked the social consequences would be obvious to all and your users would try to avoid it.

You can tell them "do this", "don't do that" until you're blue in the face, they won't really care when they leave your training course, the first time someone phones and asks "can I have the password, I've forgotten mine and the boss is yelling at me, and IT is being unhelpful as usual" they'll hand it over. Unless they get the hat, which might make them think twice.

gbjbaanb
absolutely. nice ideas. thanks
AJ
+1  A: 

Assuming that your users are within reach, convince them to read a book like The Art of Deception. It is pretty readable even for the non-technical (in most cases), and would give them a broad introduction to social engineering attacks.

Chris Ballard
That's exactly the kind of information I need to get to them. I just don't think that asking them to read a book is going to be successful, but I like the way you're thinking! thanks :)
AJ
You would be surprised. My company has a social engineering forum (via a chat client) and this has a very wide membership both within and outside of IT roles. Obviously you wont convince everyone, but getting a few "champions" amongst the users will always help.
Chris Ballard
+1  A: 

Teach them how to hack. Let them try and break into their own system using XSS, SQL Insertion and other common attacks. Its fun, and really opens eyes.

Andrew Harmel-Law
+1  A: 

I agree with gbjbaanb: people get bored when you tell them things, but they remember when you show them things. Figure out ways to demonstrate good or bad security practices to users.

One such idea would be to deliberately send phish/spam emails with links in them that redirect to an intranet site that explains how what they just did was dangerous.

Here's a slightly more elaborate thing I did along those lines:

About ten years ago the defaults in Outlook were not great. It was easy to get active content to run on someones box just by mailing it to them. There was a setting to turn this off, but you had to remember to do it.

To educate the people in our organization, I put a small Javascript in my signature file. It would pop up a box that said something like "Your Outlook is configured improperly and you are at risk. Click here to for instructions to fix it." And of course I provided a URL to an intranet site that described the problem and showed how to fix it. If you had your Outlook configured correctly to ignore active content in emails, you would never notice anything.

Current versions of Outlook have better defaults, so this exact technique is probably not useful anymore, but maybe that will give you some ideas.

Tim Farley
Nice thoughts. thanks :)
AJ
+2  A: 
romandas
@romandas, thanks for a wonderfully helpful answer.
AJ