I don’t mean to offend anyone with the implied language of this post, or the image at left. But there’s no more apt way to describe the fundamental concept of this message. Imagine your users being totally, completely honest with you when you talk about the need for security. In a world not colored by political correctness and “business etiquette”, many of them would probably tell you (regarding security): I Don’t Give A F***. Unfortunately, whether they really articulate this or not (likely not), there’s a very solid chance that this is exactly what your general user population is saying to you and your beloved security policies. Gasp! But…but…(sputter)…don’t they read the NEWS?! Don’t they know they’re rapin…errrrr, HACKING EVERBODY OUT HERE!?
Well, we’ve all known for quite some time that, in reality, the hardest job in infosec is changing people’s behavior. When someone sends your users an email with an attached file or link that purports to show them the most incredible dancing bear they have ever seen, or the funniest caption with a cat picture EVAH, guess what happens? Yep. They click. Happily. Facebook? There they are! Downloads? PDF files? Flash games? Yes, yes, and YES. YES! Connecting to wireless ANYWHERE is NO PROBLEM. They want iPads! They want iPhones! They want Droid devices! Their own computers! And this is not going to get better, or go away. What’s my point? Well, it’s opinion time:
Traditional security awareness programs are useless. Give them up. Do it now.
Trying to get people to change how they do things is futile. You’ll convert a few, sure. But most people do not think like us. They will not take 2 extra steps or endure a nagging popup asking “Are you sure?”. In fact, they’ll work HARDER to find a way to circumvent your security than they would have worked just adapting to the security. Why? It’s human nature. So I say we toss this concept of “Educate them, and they’ll come around”. Instead, let’s start doing something we’ve bantered about for years. Let’s build security in, and accommodate the IDGAF mentality.
This means putting EVERYTHING into a “Default Deny” mode. Which means moving to application whitelisting. Some form of NAC. Lockdown of host-based and network-based ports on the firewalls and other access controls. Severe restriction of privileges. Yep, in other words – all that stuff we have discussed for quite a while. If we would just design this way, either in a green field scenario or when updating our environment, we’d be in better shape. How about a VM sandbox for any device people want to use to connect? That doesn’t print locally or access local files? I’d like to think we’ll stop this silly dance of “integrating into the business” at some point and come to the realization that we are fundamentally at odds with everyone else in the business ideologically, as it’s our job to RESTRICT things from happening. But if we design for IDGAF, and build it in so that we control the behaviors from the get-go, we just might reign in the users and their Pandora’s box of wacky, unsafe behavior.