back to article Crypto guru: Don't blame users, get coders security training instead

Experts on both sides of the vendor-customer divide in the UK and a US cryptographer are at odds over whether or not security training is a waste of time. American crypto guru Bruce Schneier says the fact that "we still have trouble teaching people to wash their hands" means the dosh splurged on staff training is likely better …

COMMENTS

This topic is closed for new posts.
  1. Bakunin
    Holmes

    What big teeth you have grandma

    "News International's chief infosec officer, on the other hand, says ... "

    Taking security advice from News International? The irony.

    1. Anonymous Coward
      Linux

      Re: What big teeth you have grandma

      Lets hope he's better at security than email archiving, considering all those incriminating emails that went "missing" on the way to India ...

      --

      ps: for f**k* sake, this is 2013 and we're *still* warning people about email attachments ..

  2. Anonymous Coward
    Anonymous Coward

    Infosec show is still running?

    Is the Infosec show still running? What a tired, content-free way to spend your time.

  3. Anonymous Coward
    Anonymous Coward

    The only security practice that works is a system of multiple layers and accountable users.

    It is usually the users (and admins) who fail to maintain the system correctly that causes the issues.

  4. amanfromMars 1 Silver badge

    Open Systems Hack .... Full Disclosure Grants Immediate Access to Root for ReBooting

    And what of the Invitation to Party by Direct Correct E Mail Address? Is that Uncovered and Discovered in Intelligence Sweeps? Or Already Withheld Pending Sensitive Inquiries on Tempting Provisions/Future Supply.

    1. amanfromMars 1 Silver badge

      Re: Open Systems Hack .... Full Disclosure Grants Immediate Access to Root for ReBooting

      That might actually be an Open Systems Crack.

      1. Anonymous Coward
        Anonymous Coward

        Re: Open Systems Hack

        The television is still talking about you ...

  5. Anonymous Coward
    Trollface

    "The bad grammar...that characterised phishing up to a few years ago..."

    Nice to see it's still alive and well in on-line news though. When you find the word 'wrong' spelt incorrectly you know you're onto something gold...

  6. NickHolland
    FAIL

    In the IT world we tend to put untrained users on potentially hazzardous tools, then expect technology to make those tools "safe"... and then wonder why things go wrong.

    Why does much of the world insist upon driver's training and testing before being allowed to drive a car on public roads? Because it helps. Does an educated driver eliminate all accidents? No, but it improves the situation.

    CLEARLY, throwing technology alone at security is not working. We've been trying this for well over 20 years and the situation is getting WORSE, not better. Maybe it IS time to try education in addition to "improved" technology.

    The usual response I get to this idea is, "education doesn't work!", my reply is, "it has never been seriously tried".

    All the "education" attempts I have seen are based on chanting of rules, which attackers can then use as tools of their own, not true understanding of how the Internet actually works, and how it is used against us. Even the "advanced" security training starts from a premise of "you can't stop them", which I reject -- for the most part, we haven't seriously tried.

    1. Brewster's Angle Grinder Silver badge

      Supposing that you are right, how much would that level of in depth training cost? It's not affordable to give every data entry clerk a "true understanding of how the Internet actually works." (And they probably don't want to know, even if they have the ability to comprehend it.)

      1. Anonymous Coward
        Anonymous Coward

        The cost would be outrageous, but I still don't think a real attempt of educating this is possible, because everyone is different. Too many of us know what to do, and too many of us don't. I think we are pretty much "there" in regards to this topic, but the whole thing seems to boil down to human element. If you still don't know to question that dodgy e-mail attachment or whatever, chances are you never will. This doesn't make people dumb in all fields, it just sets a standard to what field they shouldn't be in.

        1. Tom 13

          Re: If you still don't know to question that dodgy e-mail attachment

          The part that gets me is that I know people with great street smarts but when they login to a PC they go stereotypical blonde.

    2. FlatEarther
      IT Angle

      Training Works

      It's not the full solution, it never stops, but it does work. This is analogous to the handwashing campaign conduct in UK hospitals in recent years. People new they had to do it, they new it had benefits, they just didn't do it (too busy, I'm not doing anything critical, it's just the once, excuse, excuse, excuse).

      So a training campaign with lots of reminders and reinforcement was implemented, with significant benefits (i.e. less people dying).

  7. J.G.Harston Silver badge

    Exactly this problem came up at work today.

    User: Central Government requirements require us to log this data, but the datalogging SD cards are getting rather full, but I can't delete old files after emailing them in without Admin access.

    Corporate Security: Local Government requirements require us to prevent write access to external devices to prevent security issues.

    User: But that means at some point the datalogging will fall over.

    Corporate Security: We've prevented write access to external devices to prevent security issues.

    The solution we've come up with is: throw away the full SD card and buy an empty one.

    1. J.G.Harston Silver badge

      Ok, crush the SD card and put it in the scrap smelter, but essentially throw read/write RAM devices away because they are full.

      1. Tom 13

        @JG

        Look on the bright side: at least you could crush them and throw them away. I've know people with a safe full of dead drives that can't be thrown away because first you need to be able to certify that they've been sanitized. They apparently don't have the money to hire the appropriately certified mobile van crusher to stop by the office and since the drives are physically damaged, they can't run the software they would otherwise use to wipe the drives.

        1. Anonymous Coward
          Anonymous Coward

          Re: @JG

          "They apparently don't have the money to hire the appropriately certified mobile van crusher to stop by the office and since the drives are physically damaged, they can't run the software they would otherwise use to wipe the drives."

          I'm sure the budget would stretch to a torx screwdriver and a sheet of emery cloth. Take the platters out and give them a quick sand. With only 20nm of magnetic material that's easily going to come away sufficiently well to prevent anything being recovered. If you're feeling particularly keen maybe bend them as well, since there's no chance that they could be straightened enough to align properly in a new mechanism. Or if they're laptop drives with glass platters just smash them.

          1. Michael Wojcik Silver badge

            Re: @JG

            I'm sure the budget would stretch to a torx screwdriver and a sheet of emery cloth.

            I'm sure that's not "appropriately certified". It doesn't matter whether it's effective; the point of the original post is that it has to be certified.

            Rather than dismantling the drives and hand-sanding the platters, it'd be a lot faster to throw a drive in a vise and cut a slot through it with an angle grinder. That doesn't make the entire surface of each platter unreadable, if you have your magnetic-force microscope handy, but it clearly raises the cost high enough that an attacker is extremely unlikely to be motivated to try to recover any information. But again, not certified. Hell, these are drives that have suffered hardware failure; I doubt there's any information on them that's sufficiently valuable to even justify trying to swap the controller board and get the drive going again.

            This isn't an information-protection problem. It's an auditing problem.

  8. Anonymous Coward
    Facepalm

    You can't just say don't open PDFs?

    But you can say don't open PDFs under Windows ...

    `One of the firms providing technical tools in the area, PhishMe, will be talking about how what organisations can do to train their staff on how to recognise phishing scams and how to prevent them"'

    Buy a computer that don't execute native code from opening an email attachment or clicking on a URL ..

    --

    mod-down quick :)

  9. Irk
    Pint

    "Behaviour modification training is not full proof"

    But is it at least 8 proof, like this pint?

  10. TrishaD

    Mostly Right

    Sadly, he's mostly right.

    Although its important to differentiate between security training and security awareness because they're not the same thing. Technicians designing and building systems should certainly be trained to code and designed securely and I genuinely believe that that's money well-spent.

    Staff (and indeed Management), need to be security aware, even if that awareness extends only to knowing the extension number of the Information Security team and to have the confidence to be able to call that number if they see something that doesnt look quite right.

    To be honest, though, the motivation for many companies I've worked for in paying out for security training can often boil down to 'If they dont know the Policy, you cant sack them if they breach it'.

This topic is closed for new posts.

Other stories you might like