Throwing Out The Baby With The Bath Water: Dave Aitel’s Approach To INFOSEC
So yeah, a week or so ago I wrote a piece that in the end, kinda said I was retiring from the INFOSEC bitch slapping biz for a while. I went away, I began looking at other interests of mine and relaxing and things were good. Then I saw this article by Dave Aitel “former computer scientist at NSA” on the idea that teaching security awareness is useless.
*blink*
Holy WTF? You have gotta be kidding me I thought and exclaimed out loud! Sure enough though, when I read it, I found myself agog at the idea of tossing awareness out of the water like the baby that Dave seems to be making it into from the old aphorism.
Article here: Why you shouldn’t train employees for security awareness
Dave, how could you be so smart about other things and yet so spectacularly stupid on others I wonder? I mean, all your other points about protections that should be in place in an environment are right on, though, you must realize that many places would need a HUGE re-architecture right to follow many of your ideas to fruition right? So, right there you have a non starter for many places that indeed would be better suited to have an awareness program.
But I digress…
Look boyo, by using APT as your “examples” of why its a fools errand to teach security awareness to the masses, is just a self serving and exceedingly short sighted means to your end of selling your services methinks. APT attacks like the ones you mention are always possible and do happen to many places, however, they are not the only thing coming in in waves to the employees of the world. There are plenty of other attacks including the SE attacks you speak of. All of these could be lessened in effectiveness and winning the day for the attackers “if” the employees are trained (a key word here trained, not for 4 hours, not one day, but repeatedly on these issues) You don’t send a kid to school to get a diploma for a day do you? No, you send them to 8 friggin years of school to get that diploma and maybe 4 – 8 more for a real education. See the analogy there Dave?
You train employees to protect not only from clicking on links or suspect emails Dave, but you also teach them good ethics, as well as security hygiene that will make your environment just that much better over time. The cumulative effect will help you secure the environment and in tandem with your technical means, make it all the better. This idea of just chucking awareness in the trash heap is useless and more than not, a dangerous idea you are selling to CSO’s and CIO’s who may not be as security savvy as they should be man, and in my book, you are now really treading closely to the “charlatan” status page on Attrition.org in my book.
What’s your next idea man? Outsource security to say India?
Look Dave, I know it’s a dog eat dog world out there today but really, cutting this cost as a sales pitch in CSO magazine? And such an epically bad idea too? Geez, I mean I thought BYOD was a bad idea, but it seems you would advocate not only that but also that you don’t demand that the end user devices be scanned for malware too huh? Security awareness is a process and human nature, as I have written about it here before, are hard things to control, but, without at least trying, you are opening up just another avenue of attack even with mitigations like the ones you pose in your article. What’s even more egregious is that you seem to think that awareness costs a lot of money? What? In DIB partners I have been in you just have the security team teach the recurring sessions as well as intakes. Then you have recurring online training that is done in house, it’s really not a bank breaker man. So, who the hell is spending gobs of money on it anyway if they are smart about it, and, if they are doing it at all.
See, that’s the other thing Dave, many places AREN’T doing it to start with. This is why people are so click happy as well as libel to just hand over a password! So here you are advocating that we dispense with it all because it is a foregone conclusion that the APT is gonna get us all in the end.
Dave, it’s time to smell the coffee and wake up.
Awareness training should be a staple of every environment and the awareness of the end user is important to stop attacks. I have personally seen it work in environments under my control. Will it stop every attack? No, but neither will all of your technical controls you are offering to sell to those who might be reading this quack article of yours.
Go back to your corner and put on the pointy hat Dave… You’re not “aware” enough to make these kinds of great prognostications and claims.
K.
Krypt3ia 
and in the 4-8 years this education is taking a place we should do what?
jerk
2012/07/20 at 14:44
I don’t know who you are, but you sure don’t get IT.
Looking at the big picture, employee training is utterly useless when it comes to overall security. Employees are dynamic entities, _they can not be relied upon_
They’re here one day, gone the next, they forget, make mistakes, disclose sensitive information, can be bribed, can be tricked, can be compromised in a million different ways. Your “security awareness” training is not going to change this basic premise.
In the real world security is an all or nothing approach. One of the first things one does when trying to implement a secure system is figure out the dynamic variables.
The ones he can’t control. Then, he designs AROUND them, not ON them.
John Zornn
2012/07/21 at 00:30
I am more worried about social engineering attacks than APT (nature of the world I work in) and it is the one area where your only (well not only, but yea) hope is awareness..
Joel
2012/07/23 at 16:13
Dear Krypt3ia,
I can understand your frustration, and reading your blog reminded me of Lewis Black during one of his ranting attacks on “The Daily Show” 🙂
The challenge is that critical thinking is becoming so rare these days. I mean we live in an era when the 2012 platform of the Republican Party of Texas reads as follows: “We oppose the teaching of Higher Order Thinking Skills (HOTS) (values clarification), critical thinking skills and similar programs that are simply a relabeling of Outcome-Based Education (OBE) (mastery learning) which focus on behavior modification and have the purpose of challenging the student’s fixed beliefs and undermining parental authority.”
Perhaps Dave is planning to run as a candidate for the Republican party in Texas? Frankly if you need evidence to prove that without raising the level of critical thinking skills throughout the organization it is becoming more and more vulnerable/fragile, you’re really don’t understand that domain at all, nor fragility and anti-fragility.
I might write a blog about that subject, but to be honest, anyone who do research on the subject knows that technology cannot replace or provide any result which is even similar to the one achieved via a personal change (e.g. medication to obesity vs. change in life-style). It’s true throughout nature, it’s a fractalic truth.
Awareness is why we are all here and taking away the opportunity of being aware from people is crime I tell you, a crime (trying to sound like Jimmy Stewart in a Frank Capra movie)
Peace
BlueSkyOfLove
BlueSkyOfLove
2012/07/23 at 16:23
[…] out there once again. @Krypt3ia and @iiamit have both posted their rebuttals “Throwing out the Baby with the Bathwater” and Security Awareness and Security Context – Aitel and Krypt3ia are both […]
You Shouldn’t train employees for Security Awareness – REBUTTAL
2013/02/16 at 13:12
[…] more on blinky light solutions to stop them dead in their tracks as the vendor propaganda states. Some even go as far as to proclaim that security awareness is pointless which I called bullshit on before rather vociferously in the past. I find it to be one of the more […]
So APT Is China *snicker* Now What? | Krypt3ia
2013/02/28 at 15:31