Sunday, October 24, 2021

End Users are Clueless — and it’s IT’s Fault

So we’re all agreed: Malware can be hazardous to your health.

We also agree that more and more exploits are being discovered every day

in various software packages. Thankfully, vendors are finally exhibiting

an ability to make security an essential component of their products,

instead of viewing security as a bolt-on luxury feature no one really

cares about. And best of all, some software creators realize security can

be a selling point for their products.

The distance between announced vulnerabilities and publicly available

exploits is getting slimmer, but the distance between exploits and

patches also is getting smaller.

So why aren’t we all happy?

Because you all aren’t playing along. That’s why.

Too many of my conversations go, more or less, like this…

”I wasn’t doing anything and it just stopped working!”

Ok, what were you doing before you weren’t doing anything? You were

reading your email. Did you click on the link in that email? You know,

the one that had a spam score of 47.0? Right, that one. So you weren’t

doing anything but reading your email, and then clicking on the link in

the email from ‘the bank’, even though you don’t have an account, and

never have had an account, with this bank (which, by the way, you’d never

heard of until you got this email). Is that right?

WELL, DON’T DO THAT!

EVER!

Obviously, we, as security professionals, can no longer blame the vendors

for being inattentive to the situation. We can identify the problem

pretty easily. Rather than try to be delicate about it, let’s just see it

for what it is.

Our end users have no clue. And that’s our fault.

If we don’t teach the people we’re responsible for to take care of

themselves — just a little bit — we are going to continue spending the

majority of our time cleaning up perfectly preventable computing

tragedies. This is important.

How much time has your organization lost to compromised systems? How many

hours of productivity down the drain? Don’t cheat yourself either. The

number of hours you work on a system should be multiplied by the number

of users dependent on that system, plus you. (This means if the boss’

secretary prints out all of his email for him, and that system gets a

virus, the secretary is down, the boss is down and you’re down. That’s

right. You’re down too, because you could be doing something more

productive than re-imaging that machine.)

Here’s another question. How many times is a simple rebuild complicated

by the owner never doing a backup, and not being able to tell you where

his files reside? So now you not only have to put in the time and expense

of restoring the system, you also have to do the detective work of

identifying and protecting/saving the data on the system. You run the

risk of losing important corporate assets.

What’s worse is that you know you’ll be back on this machine within six

months. And the guy who owns it? He won’t have done a single back up

since you last restored to him a pristine machine with all his stuff on

it.

If only we could get up in the face of our users like drill instructors

and scare the living daylights out of them into believing that if they

ever click on another link, we’re going to take their computer

and…

Well, ok, that’s just wishful thinking on my part.

But we can make a difference. We can get the message across through

variety, repetition and repetition. (Yeah, repetitive just like that.)

There are three messages we need to tattoo on their foreheads.

One: Do not click on the link in that email that should

have been marked or filtered as spam. And do not be tempted to even open

your spam and peek at what may be inside. It’s spam. Nothing good comes

from spam.

Two: Back up your data religiously. Utilize resources the company

provides. (The company better provide some, or you need to be working on

management, as well.)

Three: Auto-update. Both Apple and Microsoft have finally gotten

their collective acts together to provide OS patches as painlessly as

possible. Turn on auto-update. It goes out and does what’s necessary to

keep the system patched. It’s the ‘turn it on’ part we seem to be having

trouble with. According to some reports only about 40 percent of users

have auto-update activated.

See, we know what the problem is. We simply need to get on the stick to

fixing it. We need to convince management (and management, if you’re

listening, pay attention here) that the expense of a quality archive

system appropriate to the corporate mission, can be justified in the

negative deliverable of lost data and down time. If your corporate

environment is geared to mandates, then work on mandating auto-updates.

If you live in a more liberal environment, such as a university, where

dictating policy won’t work, it’s incumbent on you to convince your

constituency that auto-updates are in their best interest.

You know your users. You know what message will be most effective. The

ones who can’t bear to be without their system, will gain comfort from

knowing they will be less likely to incur system loss through compromise.

For those on the opposite end of the spectrum who don’t know and don’t

care, just tell them to turn it on and you’ll quit bugging them about it.

It’s the ones in the middle you have to treat carefully. They won’t let

you tell them what to do, and they don’t feel they have any incentive to

do what you ask. You might try both ends against the middle here. Tell

them, you’ll quit bugging them if they will activate auto-update. And

remind them that that includes you coming around and seizing their system

when it’s been compromised.

They’re just as happy to not see you as you are to not have to see them.

As for spam, and the people who read spam? ”We have seen the enemy, and

they is us.”

Similar articles

Latest Articles