At RSA, specious arguments against security awareness
A debate requires intelligent dialogue from representatives on both sides of an issue. That's not what happened at the RSA conference panel on security awareness.
Computerworld - It takes two to tango, and at least two opinions to tangle. That's why the security awareness panel held during the recent RSA conference was so frustrating: There was a remarkable lack of diversity in opinion. I attended with hopes for a proper debate, but that would require intelligent dialogue from representatives on both sides of the issue at hand.
Only one of the panelists, Hord Tipton, argued in favor of security awareness, and he did so mildly. Bruce Schneier had decided at the last minute to argue against security awareness -- a decision that may have given some people the impression that security awareness is indefensible. Other panelists admitted that their experience with security awareness is tangential at best. Dave Aitel, whose negative opinions on security awareness are well documented, stated very early on, "I don't have experience managing a large program."
With all the panelists other than Tipton demonstrating a fundamental lack of understanding of security awareness, they perpetuated the myth that security awareness programs are ineffective and expensive. But they did worse than that. Aitel, for example, stated, "If you use security awareness as a protective layer, you're opening yourself up to malicious actors like Bradley Manning." That is just wrongheaded. In fact, Manning's co-workers reported him to superiors, as awareness recommends, but those superiors failed to act. More importantly, the Manning case demonstrated countless failures in security technology that facilitated Manning's crimes. Despite those technology failures, if those in charge had taken seriously the concerns of Manning's peers, his attack may have been thwarted.
Others made objections that seemed irrelevant. Francis Brown stated that security awareness wouldn't have stopped recent breaches that were initiated when users visited a previously benign and much-frequented site that had been compromised so that malware would be installed on visitors' computers. Brown's point seemed to be that security professionals can't make users aware that a site might be dangerous if they themselves don't know that it might be dangerous. Well, OK, I guess that's true enough. But why does he think that security awareness seeks to tell users which sites they can and cannot visit? That's an impossible task. What security awareness can do is to teach users about things like website checkers, which can limit their vulnerability to bad sites. And no one ever said that security awareness should be the full extent of a company's security efforts. It's a supplement to the technology that we all can use to make our companies safer.
In any event, the sorts of watering-hole attacks that Brown cited are insignificant in number compared to attacks caused by human error. And human error can indeed be ameliorated with security awareness, though it is impervious to technology fixes.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts