Try Harder

A few months ago I completed the Offensive Security Pentesting with Backtrack course. This is an online course which covers an incredible amount of content. The course takes you through penetration testing methodology from start to finish, and provides an online virtual lab for you to test out your new found knowledge.

As a linux newbie, and not coming from a purely technical background I found the course extremely challenging, but at the same time immensely interesting and engaging.

The course facilitators have a saying which they trot out whenever they feel you’re asking for help too quickly or when, I suspect, they don’t have a suitable answer to your query. ‘Try harder!’.

I think this slogan should be applied to the security industry in when it comes to dealing with the people part of the people, process, technology triangle.

An article in Computerworld raised my ire regarding this very topic. The reporter was explaining how the cleaning staff at a hotel he was staying at left a master key in his room by accident. The response from a ‘senior security  veteran’ he told was that the chief problem in security has remained the same for decades — educating stupid users. I couldn’t help responding and you can read my response here.

I can forgive the Offensive Security crowd for telling me to try harder. I was swimming out of my depth doing their course and being told to try harder was sometimes the encouragement I needed to solve the problem presented.

So I’m going to give the same advice to security experts who think they’re dealing with stupid users…

If your security is too hard for your users, try harder.

Hey Security Guy! People are not ignorant, lazy, evil or stupid.

While researching security awareness programmes recently I came across this paper in the SANS Institute Infosec Reading Room. The author Chris Garrett shares his ideas about improving security decision making and how this is fundamental to the creation of security aware corporate cultures.

Garrett references many academic papers from various fields including business, economics, psychology and of course information technology. The paper is well worth reading all the way through but for me, the epiphany came only about a third of the way into it. To quote directly from the text:

As the research indicates, the vast majority of security breaches originate from human actions. There are a number of potential reasons for this:

• People are poorly trained and have poor security awareness
• People are not motivated to perform at the required level
• People are malicious and deliberately expose the organization to risk
• People are aware of the problem of security but as managers and employees make poor decisions

Try to ignore the fact that Garrett gives no actual evidence to back this assertion up (because we know this is how security people think anyway) and step back to think about what is actually being said.

I read it as this: Most security breaches occur because people are ignorant, lazy, evil or stupid.

Now it may be okay for programmers and service desk operators to have a view that users are the only thing that gets in the way of a perfect IT operation, but security professionals are paddling up the wrong creek if they think this way.

Setting aside the lack of academic rigor (which died with web 1.0) Garrett has presented one of the big problems facing information security professionals. People are not dumb, or lazy, or even naturally defiant. It’s us who make security too hard. We write overblown policies full of technical jargon which tell people not to do things they never thought of anyway, we confront them with confusing technical controls that require superhuman memory skills or saintlike patience, and we poo poo any attempts to ‘get the job done’ any other way than our own outdated, poorly researched, non user-tested policies allow. And then we accuse them of sabotage when they say ‘stuff this’ and find a better, more efficient way which actually works.

To be fair Garrett goes on to make a very good case for training people to be better decision makers, but all the while I was finishing the paper I had this feeling like poor old user x was staggering around still recovering from the sucker punch back on page 4. And maybe this is how our users feel, like they’ve been ambushed by the security guys.

For anyone out there who runs an awareness programme for their organisation, from now on try to avoid patronizing staff or treating them like naughty children. They are not ignorant, lazy, stupid, malicious or even misguided regardless of what ‘conventional’ information security wisdom says. For surely if it were true, we would have found a reliable way to mitigate those threats by now?