Controls are ineffective without user cooperation
Donn S. Parker pointed out controls are ineffective without user cooperation. According to an AT&T sponsored survey, 78% of executives admitted to opening attachments from unknown senders in the last year, 29% used their own name or birthday as a "secure" password, 17% accessed the company network in a public place and didn't log out, 9% informally shared a network password with someone outside of the company. http://www.att.com/news/item/0,1847,13137,00.html The survey included relatively few people, 254 executives from Europe, North America ans Asia-Pacific regions.
On Fri, 16 Jul 2004, Sean Donelan wrote:
Donn S. Parker pointed out controls are ineffective without user cooperation.
According to an AT&T sponsored survey, 78% of executives admitted to opening attachments from unknown senders in the last year, 29% used their own name or birthday as a "secure" password, 17% accessed the company network in a public place and didn't log out, 9% informally shared a network password with someone outside of the company.
surprised? if you don't teach the baby the consequences then they continue to behave badly. I suppose it IS a little bit tough to tell the executive: "Bad Exec!! NO COOKIE!!!" or the equivalent in execu-speak :(
http://www.att.com/news/item/0,1847,13137,00.html
The survey included relatively few people, 254 executives from Europe, North America ans Asia-Pacific regions.
Tell them that every time they click on that thing, it costs $1000 to disinfect the LAN and keep the firewall up to date. Caveat: have yet to actually try this approach, but seems like it would have a chance at least. +------------------------- + Dave Dennis + Seattle, WA + dmd@speakeasy.org + http://www.dmdennis.com +------------------------- On Fri, 16 Jul 2004, Christopher L. Morrow wrote:
On Fri, 16 Jul 2004, Sean Donelan wrote:
Donn S. Parker pointed out controls are ineffective without user cooperation.
According to an AT&T sponsored survey, 78% of executives admitted to opening attachments from unknown senders in the last year, 29% used their own name or birthday as a "secure" password, 17% accessed the company network in a public place and didn't log out, 9% informally shared a network password with someone outside of the company.
surprised? if you don't teach the baby the consequences then they continue to behave badly. I suppose it IS a little bit tough to tell the executive: "Bad Exec!! NO COOKIE!!!" or the equivalent in execu-speak :(
http://www.att.com/news/item/0,1847,13137,00.html
The survey included relatively few people, 254 executives from Europe, North America ans Asia-Pacific regions.
On Thu, 15 Jul 2004, Dave Dennis wrote:
Tell them that every time they click on that thing, it costs $1000 to disinfect the LAN and keep the firewall up to date.
Sean quoted some numbers sometime ago for 'average cost of virus outbreak per enterprise' I don't recall the specifics, but they were staggeringly high... On a whim/notecard lets try this: 1) enterprise network with 10,000 user systems (we'll assume no 'servers' got/get infected in this ficticous dreamland of an example) 2) 1 user clicks attachment and gets <pick your flavor of email trojan/virus> which spreads to 50% of the user PC's before action is started to clean them. 3) assume a 'large' infosec/helpdesk group: 20 people 4) assume average cost per sec/help employee at 100,000/yr (including benefits+OT for this incident) 5) assume all other sec/help work stops to stem the virus flow 6) assume it takes 1 day (complete 14 hour day) to cleanse the bad machines (5k machines, which is 5000/20/14 = 17.8machines/person/hour or 3.3 mins to clean each machine and move to next machine... 'lightening fast staff'!) 7) So for 1 day we tied up 20 people for 14 hours: 100000/1880*8*20 + 100000/1880*6*20*2 = $21276.60 That accounts ONLY for the sec/help people to do their 14 hours/person of work (assuming 2xnormal OT rate, count that out and its still: $14893.62) No, keep in mind that during this 14 hours the following other things did NOT happen: 1) 5000 people doing their normal job due to their PC being dead 2) 20 sec/help people NOT doing their normal work 3) 1 exec still happily playing solitaire... These calculations are 'back of the irc-bot' calculations, and do leave some things out... for instance server outages due to virus infections, service outages due to network outages, lost revenue due to service outages or lack of capacity to manage customer requests/complaints/orders/blah... These events are highly costly, no matter how many times we make this arguement it's not clear that anyone that should be listening IS listening. Often the resulting response is: "Well, buy more/better virus protection software!" (from the same clicker-of-attachments) or "Shouldn't our AV have caught this?" AV is but one part of the equation, user education and consequences are some of the other part(s).
Caveat: have yet to actually try this approach, but seems like it would have a chance at least.
you'd sure think it would, sadly it doesn't seem to...
On Fri, 16 Jul 2004, Christopher L. Morrow wrote:
According to an AT&T sponsored survey, 78% of executives admitted to opening attachments from unknown senders in the last year, 29% used their own name or birthday as a "secure" password, 17% accessed the company network in a public place and didn't log out, 9% informally shared a network password with someone outside of the company.
surprised? if you don't teach the baby the consequences then they continue to behave badly. I suppose it IS a little bit tough to tell the executive: "Bad Exec!! NO COOKIE!!!" or the equivalent in execu-speak :(
I was looking at a friends PC, her mother uses it and she's a bit of a technophobe... I was upset that it hadnt had any of the windows updates installed since last time I looked at the PC a year ago even tho windows was popping up all the time pleading to be updated! I attempted to explain the whys and what fors and was surprised at her reaction.. she still didnt want to run the updates even tho she now understood what they do. 2 reasons: 1) she's overwhelmed by the amount of things that pop up at you, ask you to click on them, tell you theyre an email from microsoft etc etc 2) she "only uses the pc for web browsing, if it gets infected theres no harm that can be done" So how do you argue with that? Steve
Stephen J. Wilcox wrote:
2) she "only uses the pc for web browsing, if it gets infected theres no harm that can be done"
So how do you argue with that?
I think we have to learn to explain to the "normal" people, without scaring them too much, that their PCs are part of a big online world whenever they are online - which is almost always in the world of broadband - and that even if they don't feel directly affected by Internet bourne viruses, their PC can be turned to "evil" purposes without them knowing and that it is their duty to behave properly in this online world. Agreeing somewhat with Paul Vixie's earlier comment about learning to use the right analogies or not using them I am still going to try - because when we speak to these "normal" people, they need analogies to help them understand. So with that in mind; while you may not care while inside it if your car develops a failt and belches smoke and pollution everywhere, you should care because of those other folks on the road and roadside while you are driving it past - not to mention the additional costs in fuel and oil and so on - or in the PC sense, the whole machine can become sluggish and perform poorly when not well maintained as well as causing others grief. rgds, -- Peter
On Sat, 17 Jul 2004, Stephen J. Wilcox wrote:
On Fri, 16 Jul 2004, Christopher L. Morrow wrote:
According to an AT&T sponsored survey, 78% of executives admitted to opening attachments from unknown senders in the last year, 29% used their own name or birthday as a "secure" password, 17% accessed the company network in a public place and didn't log out, 9% informally shared a network password with someone outside of the company.
surprised? if you don't teach the baby the consequences then they continue to behave badly. I suppose it IS a little bit tough to tell the executive: "Bad Exec!! NO COOKIE!!!" or the equivalent in execu-speak :(
I was looking at a friends PC, her mother uses it and she's a bit of a technophobe... I was upset that it hadnt had any of the windows updates installed since last time I looked at the PC a year ago even tho windows was popping up all the time pleading to be updated!
I attempted to explain the whys and what fors and was surprised at her reaction.. she still didnt want to run the updates even tho she now understood what they do. 2 reasons:
1) she's overwhelmed by the amount of things that pop up at you, ask you to click on them, tell you theyre an email from microsoft etc etc
2) she "only uses the pc for web browsing, if it gets infected theres no harm that can be done"
So how do you argue with that?
There is a very simple way of demonstrating the problem of viruses on her PC to her. Install a modem in the PC and connect it to the phone line. It won't be long till she gets one of the the viruses that dial a long distance location. Her next phone bill will demonstrate to her why having a clean PC is important. This has worked for my in-law. He was the one who plugged the modem back into the phone line after I unplugged it and told him no to have it plugged in. K
On Jul 17, 2004, at 8:22 AM, Stephen J. Wilcox wrote:
1) she's overwhelmed by the amount of things that pop up at you, ask you to click on them, tell you theyre an email from microsoft etc etc
Yeah, that sux. Someone should fix that. Get right on that, would you? :) In the mean time, tell her not to deal with the pop-ups, just remember to click Start -> Windows Update _herself_, manually, once a week or so. And install a virus checker. Oh, and since you know what you are doing, lock her system down so nothing can get in, since she only uses it for web browsing.
2) she "only uses the pc for web browsing, if it gets infected theres no harm that can be done"
So how do you argue with that?
If the idea of spewing millions of spams to other people does not affect her, you could threaten her with violence. Also, a lot of people who "only do web browsing" sometimes "browse" to their bank.... -- TTFN, patrick
participants (7)
-
Christopher L. Morrow -
Dave Dennis -
Krzysztof Adamski -
Patrick W Gilmore -
Peter Galbavy -
Sean Donelan -
Stephen J. Wilcox