Monday, February 26, 2007
I've been away from the blog for a few days (lots of work to do before Black Hat), but I took note of this little article from Dark Reading.This is a discussion about the value and results of training users. I have mixed feelings about it. I really believe that training users must be part of a security program. However, I must also admit that there are limits about the effectiveness of this measure. Afterall, they are humans. You can make 80% of your users avoid problems, but 20% will certainly look for them even after months of training.On the DR discussion, RSNake mentions that you need to keep harmful things far from the users. I agree with him, specially about the local admin. A big problem is that on most of the organizations there are lots of people with special privileges on their workstations, mostly IT staff. These are the most dangerous, as they use to have dangerous tools installed and critical information access. They also think that they don't need security training, what is different from the regular business user, that knows that there is risk and that he/she doesn't know how to avoid it.I think that problems from users actions is like a big hole being covered from two sides. One of them is the least privilege and default deny concepts. We need to take them seriously. The other is security awaress. Both sides are not enough to close the gap alone, but increasing both together will achieve the goal.