When English philosopher Herbert Spencer wrote, "The great aim of education is not knowledge but action," he didn't have computer security education in mind. However, more than a century later, panelists at a recent New England Information Security Group (NEISG) meeting voiced such messages loud and clear.
"I think education goes a long way. If you explain user polices, there is a better chance people will follow them. They will understand the risk to the company," said James Burrell, United States FBI agent specializing in criminal computer intrusion and cyber crime, and one of the panelists at the Waltham, Mass.-based user group meeting.
The need for user education rose to the top of the agenda during the group's discussion about ethics and legal issues in the security field. Other panelists included Mark Minasi, columnist and author of Mastering Windows Server 2003, Stephen Heymann, Chief of the U.S. Attorney's Appellate and Computer Crime Section, and Sanford Sherizen, president of Data Security Systems and member of Information Security Systems Association's (ISSA) Hall of Fame.
Uneducated users are such easy targets for spammers and virus writers, according to Burrell. Most policies are implemented only after something bad happens, he said, so the key is to educate users before they become victims.
However, Burrell warned, "Polices are a balance. If you put super restrictive policies on users, they can't be productive. If you are too lax, well, we've seen what happens." IT people tend to create workarounds for overly restrictive polices. This then creates a false sense of security: Administrators have lost control of users yet continue to tell themselves everything is secure because policies are in place.
Administrators must combat ignorance by taking the time to educate users, according to Minasi. He stressed the importance of strong passwords in particular.
"The single most important thing is passwords," Minasi said. He recommends getting @stake LC4 (formerly L0phtCrack) and having fun at lunchtime trying to crack employees' passwords. "People love true tales of crime, and when they see how quickly a password can be cracked, they will instantly become more vigilant."
One NEISG member, an IT network administrator for a bank, agrees with Minasi's password approach. His bank is a full Windows shop slowly moving from Windows 2000 to Windows Server 2003. He currently enforces an 8-character password requirement that changes every 30 days, but he still has reservations about user enforcement: "Even when I put my stronger password requirements in place this year, I still think people will write passwords in a secret spot in the office or cubicle."
A study conducted by antivirus vendor Symantec adds gravity to this bank administrator's fears about uneducated users. According to the study, e-mail worms and viruses aimed at Windows systems rose sharply last year, with 5,000 new cases of Microsoft-targeted malicious activity from January to June. This represents a 400% jump over the same period in 2003. Such information is great incentive for Windows administrators to implement and enforce strong security policies in 2005.
In spite of the panelists' advice, one audience member was still skeptical: "I do think it's important to educate the end users," he admits, "but in reality we know that they will never truly understand computer security. Most will just come in, do their tasks and go home. All that security stuff most likely will never sink in."
Share your opinion: How important is user education in securing Windows systems? Do you educate users on Windows security issues and techniques? If so, how? E-mail us and we'll add your comments to this article.
More information from SearchWindowsSecurity.com
This was first published in March 2005