Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

2/16/2007
04:30 AM
50%
50%

Giving Up Hope on Users

Expect any help from end users on security? Time to get real

2:30 PM -- End users are hopeless.

That's the message we've been hearing this week as security experts speak out about managing vulnerabilities. These are the voices of IT people who have seen users pull off one too many dumb moves, setting security back for the rest of the network.

"Everything we're doing right now as security people is trying to mitigate the fact that people are stupid," says Rob Enderle, principal analyst with the Enderle Group, an IT consultancy. (See Getting Users Fixed.)

Ira Winkler, a well-known security expert and author of Spies Among Us, suggests that there should be sanctions against those who are exceptionally dumb. "After they've clicked on that phishing link for the fifteenth time, maybe we should blame them and take their computer away. They are a danger to everyone else."

RSnake, founder of ha.ckers.org, suggests that the security function should be taken completely out of users' hands. "Just like you shouldn't be fixing gas mains, you don't want your employees to try to create their own secure environment. They will almost certainly get it wrong, and when they do, it will degrade the life of the equipment. Worse, it will cost IT resources to fix the issue, the employee will no longer be working productively, and you may actually lose confidential information in the process. (See Why User Education's a Bust.)

Even worse, IT organizations find themselves defending their networks against the malicious as well as the stupid. In some cases, IT people are encouraged to monitor employees to see whether they are about to defect or go postal. (See 10 Signs an Employee Is About to Go Bad.)

So are users hopeless? Are they inherently brainless and/or evil?

I'm tempted to answer "yes," just to see what you'll say. But I'm actually afraid of how many IT people would agree with me. I'm not sure I want to know.

Truth be told, the vast majority of end users are reasonably intelligent, and they actually want to practice safe computing. These are the "silent majority" of the users we see every day.

In security, however, we aren't concerned with the majority. We're worried about that inevitable few who will make the same mistake a dozen times, the few who would sell a customer list for a few hundred bucks. Like cops, security people spend most of their time dealing not with the good citizens, but with the crazies on the fringes, the ones who break the rules on a regular basis.

So it's inevitable, I think, that security people have developed a cynical attitude about the average end user, because they've seen the boneheaded things that end users do. No effective security strategy can assume that users will know what to do, or do what they're supposed to.

From this perspective, then, it is safe (and not at all cynical) to say yes, users are hopeless. The best security strategies and technologies are those that take the issue out of the end-user's hands, and don't rely on the individual to do their own patching, update their antivirus software, or even follow the rules. End-user training may be helpful, but it will never filter through to everyone on the network. Some end users may help, but you can't rely on all of your users to do anything.

End users are hopeless. If you use that as your first premise, you've got a better chance of building a truly secure environment.

— Tim Wilson, Site Editor, Dark Reading

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-24259
PUBLISHED: 2021-05-05
The “Elementor Addon Elements� WordPress Plugin before 1.11.2 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
CVE-2021-24260
PUBLISHED: 2021-05-05
The “Livemesh Addons for Elementor� WordPress Plugin before 6.8 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
CVE-2021-24261
PUBLISHED: 2021-05-05
The “HT Mega – Absolute Addons for Elementor Page Builder� WordPress Plugin before 1.5.7 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by ...
CVE-2021-24262
PUBLISHED: 2021-05-05
The “WooLentor – WooCommerce Elementor Addons + Builder� WordPress Plugin before 1.8.6 has a widget that is vulnerable to stored Cross-Site Scripting (XSS) by lower-priv...
CVE-2021-24263
PUBLISHED: 2021-05-05
The “Elementor Addons – PowerPack Addons for Elementor� WordPress Plugin before 2.3.2 for WordPress has several widgets that are vulnerable to stored Cross-Site Scriptin...