back to article Security pros' advice to consumers: 'We dunno, try 152 things'

A Google-conducted survey of 231 infosec pros worldwide has reaffirmed the industry's faith in strong passwords, and achieved consensus about nothing else. It's almost unfair to make fun of the study's title, “152 Simple Steps to Stay Safe Online: Security Advice for Non-Tech-Savvy Users”, because that's clearly an editorial …

  1. Yet Another Anonymous coward Silver badge

    Don't open unexpected attachments

    Seriously - why should it ever be a user's job to protect the company from this?

    It's like saying we delivered some coffee in the break room - some of it contains anthrax, users should exercise caution.

    If your system allows harmful attachments in or allows damage when they are opened - it isn't the users fault. Especially if you constantly email company documents that demand permission to run macros when they are opened.

    1. Anonymous Coward
      Anonymous Coward

      Re: Don't open unexpected attachments

      Absolutely. I don't expect my users to every be a sysadmin/secadmin[Light]. That isn't their job, it's been mine going on some thirty-five years now. Should someone need elevated access, we can come to an arrangement (Spiderman doctrine). Otherwise, my people shouldn't have to be in fear of losing their job because I expect them to do my job as well.

      1. djack

        Re: Don't open unexpected attachments

        Malware can harm a company even without elevated privileges. Even if everything a user has access to is regularly backed up, a ransomware attack can still cause great disruption and expense.

        Whilst there are gateway systems that can extract all "non-active" content from incoming files and just deliver that, they are not perfect, can throw away important content and are currently insanely expensive. Until that sort of system is perfected and commonplace, this sort of attack vector is going to be a massive risk.

        Although we don't expect normal staff to "be" security guards, we expect them to not open the fire exit doors because some randomer wants to be let into the building. (That said, we all know that people hold open access doors for unknowns far too often) A bit of awareness is not an unreasonable thing to ask. Yes, mistakes will happen from time to time but "don't click links or attachments in unexpected emails" and awareness that emails may not be from who they say they are should not be difficult concepts for anyone performing pretty much any task in an organisation.

        1. Notas Badoff

          Re: Don't open unexpected attachments

          The first two respondents above would seem to have never heard of a "hard hat area". That is every company these days.

          While I am greatly appreciative of safety harnesses and the boundary ropes that I see at construction sites these days, it will not help if the new wielder of the nail gun hasn't had a safety orientation, and is still wondering whether there is a "rapid fire" setting and how far those nails will travel.

      2. Anonymous Coward
        Anonymous Coward

        " Should someone need elevated access"...

        ... if it's an attacker, he or she will use some elevation of privileges vulnerability, don't worry.

        Security is not only a technical issue. If it was, it would have been far easier. Do you have a technical answer to social engineering tactics and techniques? If you have, you can become very rich, selling how to protect from any fraud.

        1. Adam 1

          Re: " Should someone need elevated access"...

          > Do you have a technical answer to social engineering tactics and techniques? If you have, you can become very rich, selling how to protect from any fraud.

          As a matter of fact, I do. I have compiled the 10 easy steps to avoiding social engineering into the attached document below:

          [^10StepsToBetterSecurity.pdf.exe]

          1. Bluto Nash
            Trollface

            Re: " Should someone need elevated access"...

            Couldnt' get the attachment to open. Could you repost?

    2. Schultz

      Re: Don't open unexpected attachments

      A bit of cautionary advice won't go amiss ... otherwise users will bring their private virus collection to work when they plug in that USB stick.

    3. Mike Pellatt

      Re: Don't open unexpected attachments

      Especially if you constantly email company documents that demand permission to run macros when they are opened.

      You mean like the spreadsheet Microsoft Licensing emailed for completion to verify license compliance ?? And then wondered why I hadn't done anything with it ??

      Because no-one would send malware pretending to be from Microsoft, would they ?

    4. smudge

      Re: Don't open unexpected attachments

      Seriously - why should it ever be a user's job to protect the company from this?

      You know, that speaks volumes about your attitude to your job and your employer. I'd even speculate that it exemplifies your approach to life.

      "Take some responsibility? No way!"

      I'm very glad that you will never be in my team.

    5. Headley_Grange Silver badge

      Re: Don't open unexpected attachments

      "It's like saying we delivered some coffee in the break room..."

      It's more like saying that someone on the street asked you to take a parcel and leave it in the CEOs office and it's not your job to think about the safety or security implications. Employees are asked to be vigilant about tailgating and other suspicious behaviour, so it's not unreasonable to ask them to be vigilant about potential threats in mail messages.

      1. Yet Another Anonymous coward Silver badge

        Re: Don't open unexpected attachments

        It's more like saying that someone on the street asked you to take a parcel and leave it in the CEOs office

        Except with email we expect each employee to accept random packages from strangers at their desks all day to do their job.

        If you were on an assembly line for a car and all the parts arrived by different courier dozens of times a day directly to you by-passing security. And it is your responsibility to check that piston rods were ok if sent by "safe-courier" while "safe-courrier" are crooks and then to check that the person in fedex uniform isn't a North Korean spy.

        1. Anonymous Coward
          Anonymous Coward

          "Except with email we expect each employee to accept random packages from strangers"

          Ehm, no. Even plain mail can be an attack vector - i.e. a "promo" USB key, or the like. A good company will train users to be aware of unsolicited parcels, and even expected ones.

          Supply chains may be also well monitored - and usually parts are not delivered directly to the production lines but through a warehouse that may also check packages contents - sources can be checked and matched with orders, as well as certificates of conformance, and random parts tested for quality.

          Impersonating a janitor or delivery person is one of the easy way to enter a building...

    6. Snorlax Silver badge

      Re: Don't open unexpected attachments

      @Yet Another Anonymous coward: "Seriously - why should it ever be a user's job to protect the company from this?"

      Wow. Dumbest comment evar.

      Why? The end user is the biggest security hole in any organisation.

      Using weak passwords. Or if forced to use complex passwords, leaving the password on a post-it.

      Holding doors open for strangers

      Leaving computers unlocked in publicly accessible areas

      Giving out too much information - over the phone, Facebook, Linkedin, etc

      Bringing in devices from home

      No social engineering awareness

      And most importantly for some, clicking on random attachments.

      User education is key to eliminating a lot of this kind of stuff, rather than an attitude of "Security is someone else's job"...

      1. Khaptain Silver badge

        Re: Don't open unexpected attachments

        "User education is key "

        This phrase applies to "everyone" in the company, from users, to admins, to directors. Keeping people aware can make a huge difference, it has a cost but it far outweighs the cost of repairing a comprised system.

        1. Amos1

          Re: Don't open unexpected attachments

          What the proponents of "user awareness" overlook are the things that work against it: Turnover, labor rules, being pushed by management to get something done fast rather than 100% correct, the fact that the scammers have one full-time job and that is to get past your awareness training, so pretty much everything.

          Policies and training are almost worthless without technical controls to back them up. Unless you're in Training, Legal, Audit or Compliance, of course.Then you believe that's all a company needs because without those, you don't have a job.

          1. Snorlax Silver badge

            Re: Don't open unexpected attachments

            @Amos1:"Policies and training are almost worthless without technical controls to back them up."

            Wrong. Your employees are your first line of defense.

            As an employer you have a duty to the company to provide your employees with the correct training - no matter if you're asking them to work with a computer or a chainsaw.

            1. Amos1

              Re: Don't open unexpected attachments

              Wrong. Humans are the last line of defense, not first. They can be great as early warning sensors for things that got past the technical controls but that's it.

              The problem with training is it's like bathing or showering. It doesn't last long yet companies only do it once a quarter or once a year.

      2. Anonymous Coward
        Anonymous Coward

        Re: Don't open unexpected attachments

        "No social engineering awareness"

        I'm working on a complex security solution right now and there are three companies delivering different components to it.

        A couple of months ago one of the admins on the network/firewall delivery side was convinced by one of the other company admins that their system needed to have 'x, y and z' opened up to allow it to work.

        Without checking with anyone else this admin raised an internal change to implement those rules. Fortunately it contained an error which meant the change team flagged it to me for review and I saw what had happened. The admin's face was a picture when I explained to him that he had effectively been socially engineered into opening up an unauthorised flow across the network - as far as he was concerned he was being helpful to the team.

        Needless to say he hasn't done it since, a good shaming is often more effective than a whipping :)

        It didn't help that had the change gone ahead the clueless dingbat would have taken down a production service as he'd used an old change record as a template and hadn't blanked out all the other tabs first.

        1. Snorlax Silver badge

          Re: Don't open unexpected attachments

          @AC:"A couple of months ago one of the admins on the network/firewall delivery side was convinced by one of the other company admins that their system needed to have 'x, y and z' opened up to allow it to work."

          Wouldn't touch that one with a 10-foot pole if I was that guy.

          Kick it upstairs for a PHB to sign-off.

      3. Yet Another Anonymous coward Silver badge

        Re: Don't open unexpected attachments

        I see - so instead of the computer thinking "why is a pdf attachment to an email fetching an exe from the internet and then rewriting all the user's files.

        It's safer for the user to think. Mmm Jones does work in accounts and has sent me an email asking me to check this invoice but perhaps I will call him first on a secure phone line (after checking it really is him by asking him what we did at the office party I will then consider reading the email.

        Unless of course that's what he want's me to do - in which case I must drink from the goblet in front of me, but he already knows that so .... (sorry might have gone off-track)

        1. Snorlax Silver badge
          Facepalm

          Re: Don't open unexpected attachments

          @Yet Another Anonymous coward:"I see - so instead of the computer thinking "why is a pdf attachment to an email fetching an exe from the internet and then rewriting all the user's files...."

          You deploy Adobe Reader with javascript disabled. This can be done in the registry or through Edit -> Preferences -> Javascript -> Untick '"Enable Adobe Javascript"

          I would have also accepted "Educate your users not to click 'Open this file' whenever your PDF reader asks if they're *really* sure want to run a potentially malicious file".

          1. Amos1

            Re: Don't open unexpected attachments

            Never got a PDF from a vendor or a law firm with a handy button asking you to click it to agree to their terms, have you? Got one today from an alleged IT security vendor.

  2. allthecoolshortnamesweretaken

    Change password from 12345678 to 87654321...

    But seriously, this lack of consensus is somewhat surprising and a bit worrying. Maybe it's time to invest in a company (if there still is one) that makes typewriters?

    1. activereachmax

      Is a lack of consensus that surprising? The survey asked professionals for their top 3 pieces of advice for consumers. Every professional is different, as is every consumer and thus their priorities will be different won't they?

      #1 Don't use computers

      #2 Don't connect anything to the Internet

      #3 Close the curtains and hide under the bed

      -----

      #4 Use a password manager and 2FA (What? I only get to pick three pieces of advice? Oh well.)

  3. Andrew Commons

    An old survey.

    "We used Google Forms (www.google.com

    /forms/about) to write and host the survey, which ran

    from February through June 2014"

    That's in the final version in IEEE Security & Privacy as well so I assume it's the correct date.

  4. Captain DaFt

    Best Rule

    Treat the Internet like a door to the bad part of town. You can find anything, but if you're not careful, you're gonna get mugged!

    So think before you act.

  5. h3nb45h3r
    Facepalm

    WTF, security isn't a users responsibility....

    Security is everyone's responsibility, clearly for some it's to a greater extent, like if you job is an admin.

    But if you let you user onto any production (or any business paid for network including a dedicated BYOD internet connection) and you don't provide them training (or guidelines at the very least) on how it works and a system operation agreement for them to sign outlining what is expected of them and what they shouldn't do, then you're in trouble to start with.

    Yep, signing a piece of paper they won't read won't stop them doing stupid stuff, but at least you have cover, and you should be locking down the system to prevent the obvious, and providing regular (but not spamming) tips and advice, more importantly, you need HR on board, I'm yet to meet an organisation even with a fully manned SOC monitoring every log known to man, and a fully supported NOC and a room full of admins to ensure the environment is fed and watered, that can block stupid.

    Saying you don't expect users to participate in security is a defeatist attitude given the current threats such as phishing and I believe that mindset is setting oneself up for trouble.

    1. Amos1

      Re: WTF, security isn't a users responsibility....

      One of my favorite questions to ask prospective vendor is this:

      "Do you have people dedicated to IT Security or is security everyone's job?"

      The dumb ones answer "It's everyone's job!" because when something is everyone's job it's actually no one's job. The smart ones answer "Both."

      Seriously, just today we were questioning a major vendor of financial services software why they were shipping a version of Tomcat that was a year and a half old in a new product, one with many remote code exploitation vulnerabilities. Their response was that they watch the news and when they read something about a problem with a piece of software they use, then they put together a roadmap to upgrade it. If I mentioned their name and you work for an FI you would instantly recognize it. This is the nonsense we deal with every day but fortunately we have management that will walk away from a vendor like this.

      1. Snorlax Silver badge

        Re: WTF, security isn't a users responsibility....

        @Amos1:”One of my favorite questions to ask prospective vendor is this:

        "Do you have people dedicated to IT Security or is security everyone's job?"

        The dumb ones answer "It's everyone's job!" because when something is everyone's job it's actually no one's job. The smart ones answer "Both."

        I’ll take “Things that never happened” for $500, Alex

        1. Amos1

          Re: WTF, security isn't a users responsibility....

          You lose. :-)

          I work in operational security for a large bank, not compliance, audit or procurement. We know what works for real in prevention and detection and what doesn't (contracts) and we get to draw the line in the sand because we do not report through the CIO. The "line in the sand" rarely needs to happen because once we explain how and why a potential vendor will cause us an issue, "the business" will go to an alternate vendor.

          Yes, most are dumb ones. Look at "RSA, the Security Division of EMC". They had a $65 million dollar hack and only in that aftermath did they think it was a good idea to actually create the position of CISO. Not much has changed in business since then. The unwritten policy usually is "Almost any risk is acceptable until it happens to us."

  6. Anonymous Coward
    Anonymous Coward

    "Don't use Java"

    It's a bit hard, when you are a Java programmer, or have to use an IDE written in Java - even for other languages.... or other tools, like database management. Unluckily, Java is often still one of the easiest paths to cross platform applications. Heck, even our revenues services now uses the Eclipse platform to deliver its applications.

    Maybe you meant "don't use Java in a browser"?

    1. DougMac

      Re: "Don't use Java"

      especially since so much software of enterprise and service provider realm is written in Java.

      VMware is heavy on Java, all my storage systems management systems use Java on the backend for management and reporting (even if it is a web front end).

      My PKI solution uses Java, I know at least two large SSL CA providers use Java systems.

      My SIEM is written in Java.

      Since .Net is just a copy of Java, does that equate to don't use .Net apps either?

      I suspect the thought is don't use Java in your browser, which would be near impossible now-a-days anyway with all the roadblocks that everything throws up. But Java on the backend is extremely prevalent.

  7. John Smith 19 Gold badge
    Holmes

    "Patch systems and software" but note this is "security pros" --> "consumers" advice

    So yes, patch your home PC as it's your PC.

    But how would "consumers" know about running (or not) in "Admin." ?

    In an office environment that (along with limiting what attachments can run, and showing their full names) should be SysAdmin level decisions and tasks.

  8. 0laf
    Pirate

    You can't do "defence in depth" in 3 steps.

    If you were to say any one thing it would be "Educate yourself". That will cover a multitude of other items like opening of suspicious attachments, patching, back ups etc etc..

    If you wanna use a complex power system safely you're going to have to learn what to do.

    If you don't wanna to learn then stick to very simple things to stay safe (feature phones and restricted browsing).

    If you wanna use a complex thing, and stay ignorant then accept things will go wrong and you'll get pwned.

    If you don't want to know about the risks then by default you accept those risks.

  9. tiggity Silver badge

    only 3 pieces of advice

    From each person

    Hence all a bit pointless.

    Each person probably had lots of pieces of advice - they were asked for a top 3

    Would have been far better to get a larger (ranked order as could then do some nice number crunching, meta lists) list from each person

    That ay you would get lots more advice (probably lots of stuff NOT in anyone top 3, but would be in a top 20 or whatever limit was imposed)

  10. Doctor Syntax Silver badge

    "Google survey finds pros don't like safety strategies preferred by spooks"

    We've seen a few examples lately of spooks getting pwned. Maybe taking their advice on defensive measures wouldn't have been the best idea.

  11. Anonymous Coward
    Anonymous Coward

    Suitable Sysyems

    I have sympathy for some users. Have sat and watched a person processing incoming payments for around an hour, this was their job to do all day.

    These payments were all detailed in word documents coming via email. A couple of times I stopped them as I thought an email might be suspicious. I received some tuts and sighs.

    This person was under pressure to complete a job using the tools given to her.

    Some months later she was responsible for opening a dodgy attachment and encrypting the whole branch office file share.

    I went to her defense as she was under a disciplinary. Until the systems we expect people to use are suitable this sort of thing will continue.

    When I asked why there wasn't a secure gateway for these file submissions, officially I was told to mind my own business, was only a lowly contractor. In private, I was told, it was down to cost obviously..

  12. Aodhhan

    Dont wast your time

    20 minutes you'll never get back.

    The entire structure of this 'survey' lacked proper form and research.

    The conclusion of how varied the advice is... Of course. First off, you asked people who use the google security site. This wouldn't make my top 100 places to search for qualified security professionals.

    Also... security professionals tend to put their time into only a few areas of security. It's impossible to concentrate on all areas. This alone is going to produce varied responses. Also, this is a very fluid and ever moving field of study. You will likely get responses on the last 3 big problems the professional worked to close down.

    You will also get varied responses on any security response which will vary depending on if it's directed towards customers or employees.

    Then there is no definition of what a "non-tech savvy user" is. I know system administrators who I may consider not very tech savvy because they still can't comprehend certain networking concepts.

    Then again, I may consider a 12 year old tech savvy because he understands how to pair his Bluetooth enabled phone to his mom's car.

    Then you look at the author's profession and where they work and you immediately shake your head.

    So... don't waste your time.

  13. Keen1

    Who needs strong passwords

    According to new NIST guidelines users shouldn't even bother with strong passwords. So even that simple advice is now under challenge.

    I already have my bludgeon ready for the many users who will be coming to demand 8 character passwords with no complexity

    1. Snorlax Silver badge

      Re: Who needs strong passwords

      @Keen1"According to new NIST guidelines users shouldn't even bother with strong passwords. So even that simple advice is now under challenge."

      I think the actual advice from NIST wasn't that you shouldn't bother with strong passwords, but rather:

      1. Remove periodic password change requirements

      2. Remove arbitrary complexity requirements

      3. Screen new passwords against a dictionary of compromised passwords, i.e. password1, P@55word, changeme, drowssap, etc

      1. Amos1

        Re: Who needs strong passwords

        Right, because no one has ever shared a password that never needs changed.

        When we went to complex passwords checked against a 250K word list we almost shut the company down. Now there are lists over 300 million long. Want to know what the chances are that you would ever pick a password not on that list? Less than 1 in 300,000,000.

        1. Adam 1

          Re: Who needs strong passwords

          > Less than 1 in 300,000,000.

          So what you're saying is that if I generate a random password using lower case, upper case, digits, I need to make it at least 5 characters long.

          1. Amos1

            Re: Who needs strong passwords

            No, because that whole concept only protects against password guessing and not password cracking of the files or databases that hold credentials. Unless you can make the password strong enough that it lasts longer than the lifetime of the data you're protecting, they are not good enough.

            That's where periodic password changes help. If it takes a multi-GPU cracker 40 days to crack a password file but the data only needs protected for 30 days you're in great shape. An example would be a pending SEC filing for the next quarter's earnings. But if you're protecting customer data passwords are never good enough unless all of your customers have really, really short life expectancies.

            What I'm saying is that the only reason passwords are still in use is because they have no acquisition fee; i.e. you can create as many username/password accounts as needed and it doesn't cost the company anything initially.

            They cost a lot in ongoing soft costs: password resets, poor choices, poor controls, temporary loss of access resulting in productivity hits, an elevated risk of compromise, etc.

  14. docwebhead

    No, the NIST redefines strong passwords as long passphrases you can actually remember, rather than 8 characters of line noise.

    1. PaulVD

      That's lousy advice too. I have 209 different passwords currently in my password manager. Even if I had 209 individually memorable passphrases, I am never going to remember which one belongs to The Register. Much safer to copy and paste "pYsuuRM-jr5q".

      1. EnviableOne

        what about your vault master password.

        The change in tack came from looking at it from a user's perspective and recommends using password managers.

        The rules are simple,

        1) length trumps complexity

        2) only force a change if its compromised

        3) Use a password manager

        4) use unique passwords

        5) dont block pasting into password fields

  15. -tim

    Email - why html?

    It is amazing how clear scammy email is when you use a very old email program that only does text. Things like Pine are great for that. Even old school mail isn't going to get p0wned but it is so clear.

  16. Lion

    Adviser and target group mismatch

    An InfoSec Professional is required to develop breadth and depth throughout the information security domain, e.g. in physical security, business continuity and legal matters. They are best suited at advising sysadmins and business suits on the dangers of inadequate security procedures.

    Non-tech savvy users are often frighten to make changes and rely on automated processes to keep their devices 'secure'. Advising them to change a default setting or run image backups is daunting. Being an informed user is different from being tech savvy - this camp usually finds someone with some tech savvy skills to help them secure their devices. The uniformed user will always be a menace to self and the rest of us as they ignore all advise.

    The average informed user who has some tech skills would have been the better target for this survey. At least they would have the basics (password management, safe browsing, patching etc.) understood and already in place. The Infosec Pros on making this assumption could have then concentrated on more current and pressing security advise.

  17. Anonymous Coward
    Anonymous Coward

    So IT (the industry) made it's world thouroughly unsafe.

    Now users are blamed and must clean up the mess, according to the creators of the mess.

    Bite that hand, not lick it!

    1. EnviableOne

      No The IT industry built its world on a foundation that people are trustworthy (well those that used it then were) and then the public got hold of it and made it a mess of criminals and theifs

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like