Security is more than firewall ACLs

I am en route to see family via train and sitting in the cafe car eating a hot dog, and the gentleman sitting behind me picks up the phone to call (presumably his aunt or mom). After pleasantries and holiday wishes, the conversation turns to the peculiar topic of voicemail security and passwords. In the span of about 3 minutes, the guys first describes how the listener should set a 4 digit code for their voicemail so “no one can hack into your voicemail” and then proceeds to relay his own example by providing every bit of personal information to a car full of passengers (see my birth date is august xx, 19xx and my last name is xxxxxxxx so my voicemail password is xxxxxxxxx but my computer password at work is xxxxxxxxx. My bank didn’t like that password so I added my birth year to the end…). I had to physically restrain myself from turning around and bonking the guy on the head.

First I started thinking about how clueless the average person is about information security. Quickly though, I caught myself and realized how we, the geek/IT community have really failed the broader user community over the last couple of decades when it comes to IT security.

First, in the interest of self preservation, we made IT and INFOSEC into a mysterious giant that lives on the hillside that only the blessed few can understand. Our general message has been “don’t worry your pretty little head about INFOSEC and ITSM. we have a Nimitz class double redundant self healing situationally aware border firewall coupled with artificial intelligence based IDS/IPS and NAC infrastructure. We have degrees and certifications you cannot even spell. Just give us more money, we got this.

Then, when someone does get infected or breached, our disdain of their inability to understand INFOSEC is palpable. “You clicked on WHAT?! don’t you know you aren’t supposed to click on links embedded in emails that appear to come from your beloved aunt? You silly silly man! Now YOU have brought the entire corporate network down. I hope you are proud.

Then when convinced that educating end users is important, we set up some pretentious security program that general says some variation of “dont be stupid and you will be fine.” leaving many non geeks to say “but I have no idea what not being stupid means”.

I’ve seen end users in my government agency so petrified that they refuse to open legitimate emails, click on links to properly authorized internal sites and collaboration portals and documents, and even mark these emails as spam (resulting in not getting any more emails from the boss, or a colleague, or the help desk… Maybe not all that troublesome after all!). And then saying things like oh I get so much spam I routinely miss important information.

Fellow geeks, it is in our own self interest to educate non techie end users and colleagues about real, practical information security and management in a non hostile manner. Help them understand concepts in layman’s terms. Help them see parallels between information security and physical security (you wouldn’t give a stranger the keys to your house would you? Well your password is like the key to your computer system). Build a partnership that allows users to ask frank questions rather than cowering in fear. Lets try to turn this tide in the new year