OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Features versus Security versus User Education
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Features versus Security versus User Education


  • To: NTBUGTRAQLISTSERV.NTBUGTRAQ.COM
  • Subject: Features versus Security versus User Education
  • From: Paul L Schmehl <paulsUTDALLAS.EDU>
  • Date: Tue, 30 Mar 1999 14:48:01 -0600
  • Approved-By: Russ.CooperRC.ON.CA
  • In-Reply-To: <000501be7a64$5804a410$0d00000aaesthetic>
  • Reply-To: Paul L Schmehl <paulsUTDALLAS.EDU>
  • Sender: Windows NT BugTraq Mailing List <NTBUGTRAQLISTSERV.NTBUGTRAQ.COM>

I'm going to throw in my two cents also.  I'm the Technical Support
Services Manager for UTD.  I oversee the entire Help Desk operation plus
all support functions of the IT department at UTD.  In addition, I'm the
"resident expert" on viruses and anti-virus technology as well as a
reference point on current security concerns.  So my perspective is perhaps
a bit different from others.

Application functionality is only going to increase over time.  Macros have
a number of good uses which are too valuable to deny to users.  Computers
are a tool to increase productivity, and as such, anything that goes
counter to increased productivity is going to have a hard time succeeding.

The day is not far off when fully computerized lives are a reality; voice
activated home systems that control heat, light, cooking, etc. tied in with
a personal database for financial transactions and a work system for career
related data.  All these systems will use "the Internet"
(telecommunications systems including wireless) to function in an
integrated manner.  (You'll be able to log in to your home system from the
office to adjust the temperature before you get home or start a pot of
coffee, for example.)

For all these integrated systems to work without disruption, *some* method
of positive identification *must* become common.  Whether it's an ID
card/password system or fingerprint/ID/password system (or something not
yet invented) is irrelevant.  There *must* be a method of positively
identifying an online entity.  Designing and implementing this is the job
of security professionals, is it not?

Since *some* method of identification must become common, and certificates
look like a likely possibility at_least_for_some applications, I think the
suggestion to have signed Macros is an excellent one.  Perhaps a method of
detecting and inspecting/stopping? incoming Macros at the firewall is also
needed.

I think the present approach of many security experts is misguided.  In
general, it seems the accepted approach is to deny functionality that
exposes a network/individual to risk, but this runs counter to the users'
desire to have useful features that increase productivity.

Since user-desired functionality is the demand which drives software
development, it seems the security folks would have more success by
approaching the problem from a positive perspective.  I.e. How can we make
this functionality as secure as possible, rather than how can we deny the
functionality?  The future lies not in denying functionality but in making
that functionality as tamper-proof as possible.

Regarding user education, the attitude that the users are stupid
accomplishes nothing except to alienate admins from users.  All too often
this attitude stems from the fact that users don't understand the technical
jargon we use, and so they tend to tune us out quickly.  How often have you
seen an error message which makes sense to the average users as opposed to
one that makes sense to a developer?

As a community, we techs have got to learn to communicate with the users in
a manner *they* understand rather than in *our* terms.  I do *not* believe
it is the network admins' job to educate users.  I *do* think it is in part
the responsibility of tech support but primarily the task of the training
department.

Here at UTD, we (tech support) work in close concert with the training
department to identify areas of need and assist training in getting users
in to classes.  (For example, we track calls by username and identify
repeated problems such as password changes as opportunities for training.)
I think the idea one person offered (of making it a requirement of the job
to pass a basic computer use test) is an excellent one and will become more
common in the future.  We wouldn't hire a secretary who can't type.  Why
hire computer users who can't use a computer properly?

Since a computer-user-literate population doesn't exist (to some degree)
today, entities will have to train them.  That is what we are attempting to
do now.  Perhaps the "Melissa" virus and the children it spawns ("Papa" is
already here) will create the momentum for some of these changes to occur.