Throwing the Baby Out with the Bath Water

Friday, July 20, 2012

Infosec Island Admin


So yeah, a week or so ago I wrote a piece that in the end, kinda said I was retiring from the INFOSEC frak slapping biz for a while. I went away, I began looking at other interests of mine and relaxing and things were good.

Then I saw this article by Dave Aitel “former computer scientist at NSA” on the idea that teaching security awareness is useless.


Holy WTF? You have gotta be kidding me I thought and exclaimed out loud! Sure enough though, when I read it, I found myself agog at the idea of tossing awareness out of the water like the baby that Dave seems to be making it into from the old aphorism.

Article here: Why you shouldn’t train employees for security awareness

Dave, how could you be so smart about other things and yet so spectacularly stupid on others I wonder? I mean, all your other points about protections that should be in place in an environment are right on, though, you must realize that many places would need a HUGE re-architecture right to follow many of your ideas to fruition right? So, right there you have a non starter for many places that indeed would be better suited to have an awareness program.

But I digress…

Look boyo, by using APT as your “examples” of why its a fools errand to teach security awareness to the masses, is just a self serving and exceedingly short sighted means to your end of selling your services methinks. APT attacks like the ones you mention are always possible and do happen to many places, however, they are not the only thing coming in in waves to the employees of the world.

There are plenty of other attacks including the SE attacks you speak of. All of these could be lessened in effectiveness and winning the day for the attackers “if” the employees are trained (a key word here trained, not for 4 hours, not one day, but repeatedly on these issues). You don’t send a kid to school to get a diploma for a day do you? No, you send them to 8 friggin years of school to get that diploma and maybe 4 – 8 more for a real education. See the analogy there Dave?

You train employees to protect not only from clicking on links or suspect emails Dave, but you also teach them good ethics, as well as security hygiene that will make your environment just that much better over time. The cumulative effect will help you secure the environment and in tandem with your technical means, make it all the better.

This idea of just chucking awareness in the trash heap is useless and more than not, a dangerous idea you are selling to CSO’s and CIO’s who may not be as security savvy as they should be man, and in my book, you are now really treading closely to the “charlatan” status page on in my book.

What’s your next idea man? Outsource security to say India?

Look Dave, I know it’s a dog eat dog world out there today but really, cutting this cost as a sales pitch in CSO magazine? And such an epically bad idea too? Geez, I mean I thought BYOD was a bad idea, but it seems you would advocate not only that but also that you don’t demand that the end user devices be scanned for malware too huh?

Security awareness is a process and human nature, as I have written about it here before, are hard things to control, but, without at least trying, you are opening up just another avenue of attack even with mitigations like the ones you pose in your article. What’s even more egregious is that you seem to think that awareness costs a lot of money? What?

In DIB partners I have been in you just have the security team teach the recurring sessions as well as intakes. Then you have recurring online training that is done in house, it’s really not a bank breaker man. So, who the hell is spending gobs of money on it anyway if they are smart about it, and, if they are doing it at all.

See, that’s the other thing Dave, many places AREN’T doing it to start with. This is why people are so click happy as well as libel to just hand over a password! So here you are advocating that we dispense with it all because it is a foregone conclusion that the APT is gonna get us all in the end.

Dave, it’s time to smell the coffee and wake up.

Awareness training should be a staple of every environment and the awareness of the end user is important to stop attacks. I have personally seen it work in environments under my control. Will it stop every attack? No, but neither will all of your technical controls you are offering to sell to those who might be reading this quack article of yours.

Go back to your corner and put on the pointy hat Dave… You’re not “aware” enough to make these kinds of great prognostications and claims.


Cross-posted from Kryp3ia

Possibly Related Articles:
Security Awareness
Information Security
Enterprise Security Security Awareness Best Practices Training Advanced Persistent Threats Information Security Infosec Ethics Dave Aitel
Post Rating I Like this!
Ali-Reza Anghaie Erm. If you have time read this and then a particular aspect of your rant will be hilarious.

People in the Loop: Are They a Failsafe or a Liability? -- Daniel E. Geer, Jr., Sc.D.

Gregory MacPherson Yeah, knee jerk reactions are a b***h :)

Seriously, users have been proven beyond a reasonable doubt to be clueless ch0ads unable to secure their own data. Ideally, the proper way to handle security is to remove the choice from the users and place it squarely in the hands of 'the competent' AKA security engineering.

Yes, I realize that I am advocating "securit-ism", a quasi-Socialist framework in which 'deny everything that is not explicitly permitted' includes the CEO's video cameras to watch his house in Belize and his new iPad because they violate the security policy that he signed off on without looking.

Spending time and money to teach the unwashed messes (AKA everyone who got on the Internet after 1994) is both a waste of time and a waste of money because...

(a) They don't want to know
(b) They don't want to understand
(c) They don't want to be bothered

They (the aforementioned unwashed masses) want to 'do facebook' and read /. and gossip electronically. They don't want to bother being concerned about "the enterprise". They just don't - if they did, you wouldn't have user stratfor, password stratfor.

So the argument is based on the supposition that 'teaching security awareness' is a process of educating those who both can be educated and want to be educated. My position is "don't bother". Instead, just take the decisions out of their hands, and leave them with fewer concerns. Let the geeks - who both understand and care about the CIA triad - handle the heavy lifting.

Kathleen Jungck Scott,

I'd go one step farther and say that we don't need just Security Awareness -- we need a fundamental, basic Computer Security Literacy for the average computer (or tech gadget) user. By leaving these users without the basics, you promote their use as attack vehicles. Need I remind our community of the RSA attack, where it was a series of human errors that enabled the breach, not tech failures?

Schools are introducing K-12 and college students to computer and tech gadget use, and should include the information security basics like:
Protect your environment (cooling, dust, UPS, etc),
Backup your data & configuration, and
Secure your data and system (Access Control, Virus/Malware Scans, Update/Patch)
Attackers 101 - Hackers, Key Logging, Spoofing, Phishing, XSite Scripting, Social Engineering, etc.

I can't believe the number of average users I've seen not even using a surge protector -- literally just plugged straight into the outlet, no clue what a UPS is, no idea that BACKUP exists, don't renew the virus scan license that came with their system - get one from their IPS - or know about free ware, and turn off the virus scan or OS updates because they are annoying -- or even make their system crash. They have no clue how the internet even works to know the possibility of spoofed sites, don't know to check that USB stick they found in the parking lot, or, my personal favorite, don't have any sort of access control at all.

If we can get a generation to "Reduce-Reuse-Recycle", I bet we can train the next generation to Prevent-Backup-Protect in order to reduce the number available attack vehicles as the number of platforms is exploding.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.