The Virtue of Education

I address the Virtue of Education last since it reflects back on all the previous virtues. I have already introduced several areas where continual attention needs to be given in the practice of security. You may wonder how any one person can accomplish all this and still get any work done. Security, however, is not a lonely task that can be performed by a single individual. If security is to be a daily effort, a community effort, and considered in everything, then everyone must be involved, to some extent, in security practices. Therefore, everyone involved needs some degree of security education.

Who's Really in Charge?

Here is a good thing to think about: Every workstation attached to a network has a great influence over the security of everything else in an organization. Thus, the security of information is literally in the hands of those using the workstation, the end-users. Wouldn't it be nice if they had a little training to go along with the extreme power they possess? I don't care how much an organization has spent in making its clients thin, centrally monitored, and centrally controlled, the end-user still has great influence through his or her workstation and local network connection. By training IT staff members, managers, executives, and all end-users on good security practices, we can transform end-users from being a security risk into actually aiding in maintaining the security of an environment.

It is important to remember while implementing security that most attacks on an organization are only successful because of an uninformed or careless administrator or end-user. Most systems connected to the Internet will be lucky to go five minutes without being probed for weaknesses by someone, somewhere. This makes it far more likely that the security administrator will not be the first person to discover a vulnerability an end-user has introduced into the system. With this in mind, it is certainly worth the training effort to ensure that end-users have the knowledge and interest in maintaining the security of their workstations and the environment. Without the training and participation of the end-users, security is very difficult to achieve in any organization.

The Psychological Obstacle

The practice of training and keeping end-users updated with security information does not have to be difficult. Many organizations accomplish this with moderate budget and resources. The most common obstacle to creating an environment unified in its security practice is an artificial barrier that is drawn between IT staff and the end-users.

Tension often exists between technical and non-technical personnel. This plays a very significant role in security practices since the people making security decisions are sometimes the individuals who would rather be thrown to the lions than try to train a group of end-users (and I'm sure the feeling is mutual).

We must always remind ourselves and those around us of one vital concept: Security is of great importance and it cannot be done alone! There is no technological solution for security that cannot be undone by a group of untrained, uninformed, or uncooperative end-users. A good security professional is one who is able to perform his or her duties while maintaining contact and a good relationship with the actual technology users.

Practicing This Virtue

Practicing this virtue does not mean we need to send all the end-users to get certified in security. Nor does it mean that we need to go to every desktop and show each person how to properly secure his or her computer. We simply need to make the end-users aware of security. Users need to understand that security is a very serious matter, and that the only way to keep the organization secure is to have everyone be responsible for his or her own part. Some important guidelines to stress to end-users include:

• Good software installation practices Employees must know when it is not proper to install or run an application (from email, from the Web, etc.). It is great to have a policy, but make sure the end-users know "why" this is important or they will never follow it.

• Good awareness practice End-users should be aware of activities concerning them and their systems, and should report anything suspicious to greatly increase security. Let them know that they are far more likely to be a witness to a hacker's activities than an administrator, which makes them a vital element in the practice of security.

• Good Web-browsing practices Users should know where not to go, what information is and is not safe to give over the Web, and they should understand basic browser security terminology and practices (plugins, cookies, scripts, etc.).

• Good confidentiality practices It is important that everyone knows what is confidential and not confidential within the organization. Confidential information of any kind should never be given out, emailed, or transmitted outside the local network without following company security procedures.

It should be stressed that security measures protect everyone in the company. When anyone bypasses these procedures, it may allow a hacker access into the environment and compromise the safety of everyone's information. Here are some interesting ways to introduce end-users to these concepts:

• Continually present security concepts to employees Provide security information and stories in regular employee publications. Such writings should include an interesting title with a short, interesting story or anecdote about security (use those old and trusted media techniques to your advantage). As an example, you could write "New Worm Devastates U.S.-based Organizations," followed by a quick story, and ending with "How This Affects Us and What YOU Can Do." Or, if the occasion calls for it, simply cut and paste a bit of interesting news from a more formal publication, or from the Internet.

• Provide in-house education If possible, give periodic classes/lectures (auditorium-style is fine) with a projector and some colorful pictures. Don't call the class "How to Secure Your Desktop"; instead, call the class something interesting like "How to Combat Hackers and Spies." Pull people in for 30 minutes after lunch or during a coffee break and give 15 minutes of interesting hacker stories mixed with 15 minutes of practical security measures. Remember:

  1. Security is an interesting topic to most people, so use this to your advantage. Don't give a lecture on password policies; give a presentation on how a hacker cracks passwords and how to beat him or her at the game!

  2. People are much more likely to follow a particular practice if they have some real-world reference, like a good hacker story to go with it.

• Provide security reminders across the entire organization Put a security topic-of-the-day on the intranet site, email it to all the end-users, or have it appear on users' desktops at login. Topics should change every day or every week, and be only a few lines long.

• Learn from the mistakes of others Avoid the common pitfalls that result in the loss of the end-user's attention and make him or her not care about security:

  1. Never hand an end-user a security policy or employee agreement and expect him/her to read it or retain any of the information.

  2. Never give boring, mandatory lectures on proper security practices.

  3. Never try to avoid educating users by enforcing drastic policies that deny end-users the ability to be productive.