Ira Winkler: Stupid users, or stupid infosec?
When security professionals see stupidity all around them, shouldn't they ask themselves whether it's their own precautions that are lacking?
Computerworld - I regard Thornton May as a thought leader in the field of information technology, but his Nov. 19 column, "Can Infosec Cure Stupid?", had me scratching my head.
Unusually for him, May's underlying assumptions are flawed. He argues that end users are generally stupid, his evidence being that they don't understand how the devices they use work and that they do stupid things with those technologies that render them vulnerable. His solution: All users should have a brain trust of security-savvy people they can turn to with their questions. I know many of the smart people that May says make up his personal brain trust, and I certainly hope none of them told him that this column was a good idea.
Let's look at the "people are stupid" assumption. It's true, May contends, because you would have to be stupid to leave your laptop or cellphone at an airport checkpoint or in a taxi. But hundreds of thousands of people have done this. In a group of that size, there are going to be people who avoid all guidance and do things purposefully or ignorantly wrong, and can be considered "stupid." But how many are we talking about, really? Those hundreds of thousands of people include people from all walks of life, including high-ranking executives, which is why their carelessness matters so much. Is it really helpful to chalk up that carelessness to stupidity?
I have to think that this situation -- hundreds of thousands of reasonably bright people just walking away from valuable assets like laptops and smartphones -- demonstrates not their stupidity but a flaw in the measures taken by security professionals. Think about it: If something happens so often, and clearly is not done intentionally, then a good security professional should realize that the problem is not the people but the process. So who's looking stupid now?
A good security professional should realize that airport checkpoints are mentally overwhelming for even "smart" people. People are rushed. They are forcibly separated from their laptops and other devices, among many other personal belongings. There is a lot for people to account for under stressful conditions. I even know many smart security professionals who have left devices behind.
What is smart is for security professionals to acknowledge that while they cannot prevent laptops from being left behind, they can ensure that the laptops are physically marked so that the TSA can restore them to their proper owners. They can install laptop-retrieval and whole-disk encryption software on the laptops. They can make sure that any data on a missing laptop can be remotely wiped.
More by Ira Winkler
- Ira Winkler: My run-in with the Syrian Electronic Army
- A simple cure for the cybersecurity skills shortage
- Ira Winkler: 6 failures that led to Target hack
- Ira Winkler: The RSA Conference boycott is nonsense
- Electronic privacy? There's no such thing
- Guys, stop creeping out women at tech events
- Ira Winkler: Stupid users, or stupid infosec?
- We're missing out on the value of security awareness
- Are your security professionals qualified?
- Ira Winkler: Press falls short in reporting on chip hack
- Top 10 Reasons to Strengthen Information Security with Desktop Virtualization Regain control and reduce risk without sacrificing business productivity and growth
- Preventing Sophisticated Attacks: Anti-Evasion & Advanced Evasion Techniques McAfee Next Generation Firewall applies sophisticated analysis techniques specifically to detect advanced evasion techniques (AET).
- The Security Industry's Dirty Little Secret The debate over advanced evasion techniques (AETs) This report summarizes the findings of a McAfee commissioned research group to determine the level of understanding IT security professionals have about AETs...
- Demand More, Get the Most from the Move to a Next-Generation Firewall Beyond the basics in a next generation firewall, to protect your investment you should demand other valuable features: intrusion prevention, contextual rules, advanced...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!