2006-10-24

User Education and Security

http://news.com.com/Security+expert+User+education+is+pointless/2100-7350_3-6125213.html

"Might it be so that we use the term and concept of user education as a way to cover up our failure?" he asked a crowd of security professionals. "Is it not somewhat telling them to do our job? To make them be a part of the IT organization and do the things that we are bound to do as a specialized organization?"

I don't know how many of my readers think about security all the time! Heck I don't even know if I have any readers :-)

But this is an interesting topic. In a long-term way, I think I agree with Mr Gorling -- the need for user education is clearly a technical failure at some level.

I tend to compare things to the physical world a lot. In the physical world, we're used to different levels of security. Take "documents" for instance -- we keep important financial/property documents in an inner room, and probably under some sort of lock and key. Things that are less important (like receipts, warranty cards, bills, small amounts of cash) are kept in a slightly more accessible but still quite safe place. Finally, things like books, magazines, newspapers, etc., lay around pretty much anywhere (and cause fights with the wife if she is a cleanliness freak, but that is neither here not there ;-)

Don't you think the security problems we're seeing are mainly because on his computer, unlike in his house, we have not given the user enough "rooms", and he's essentially forced to put everything in one room or (worse) one "shelf"?

A small example: within my workgroup, we allow people to access random websites only through Firefox. If they use IE, they are restricted to a whitelist of URLs that we assume we can trust. This is one type of separation, and I am sure it has helped us tremendously over the past few years it's been implemented.

Personally, I have even toyed with the idea of running two copies of the firefox browser -- one with my normal userid where I do anything I please, and one under a very rarely used userid which I will use only to access my corporate intranet portals, my bank, etc. -- yet another form of separation (although, since I use Linux, maybe I'm being too paranoid).

For ordinary users, it ought to be possible to create something like this using Linux live CDs that is easily accessible/usable, and provides excellent security against all sorts of trojans and viruses (most of which cannot work when you use a live CD, because you're booting from a CD each time).

Example implementation: there are 3 icons on the desktop to switch between "rooms", and built-in intelligence (with a list of "important" URLs that is updated from the net) to prevent him from accessing, say, www.citibank.com if he is in a low-security room, or vice versa, prevent him from accessing unlisted sites when he has switched to a high-security room.

No comments: