Sticks and stones: Picking on users AND security pros

Nobody likes to get picked on. But is it sometimes necessary to snap people out of their apathetic approach to security?

By Bill Brenner, Senior Editor

August 25, 2010 — CSO

I took my share of name-calling as a kid. I did my share of name-calling, too. We’re taught that nothing good comes of such behavior. I’ve been thinking a lot about that since writing an article two weeks ago called “Security blunders ‘dumber than dog snot’” during the 2010 USENIX Security Symposium.

The story is based on a talk of the same title given by Roger G. Johnston, a member of the Vulnerability Assessment Team at Argonne National Laboratory. In the presentation, he gave examples of surprising (or not) examples of what he has seen as a vulnerability assessor: security devices, systems and programs with little or no security — or security thought — built in. There are the well-designed security products foolishly configured by those who buy them, thus causing more vulnerability than before the devices were installed.

Then there are the badly-thought-out security rules and security programs laden in security theater, lacking muscle and teeth. In fact, some policies only make some employees disgruntled because they are treated like fools. In turn, the company risks turning them into malicious insiders.

Also see “Ouch! Security pros’ worst mistakes

Johnston described three common problems: People forgetting to lock the door, people too stupid to be helped and — worst of all — intelligent people who don’t exploit their abilities for the betterment of security. Enter what he calls the dog snot model of security– where intelligence and common sense exist but are not used.

He came up with the term by watching his dogs, who often crash themselves against the picture window facing the yard when they want to go chase a squirrel. Hence, the windows are covered in dog snot. Executives and lower-level users are often like the dogs in that they bang their heads against the firewall (or their fingers against the keyboard) in an effort to get at a shiny object online. The security pros themselves can get caught up in this too, usually banging up against the glass by trying to prevent bad things from happening by repeating the same failed practices.

Moments after the story went live and appeared on Twitter, I got a message from Adam Shotack, co-author of “The New School of Information Security” and a security specialist at Microsoft.

“Is that attitude helpful? Does anyone respond better when you call them ‘dumber than dog snot?'” he asked.

For the rest, visit CSO Online.

Comments are closed.