Throwing Out The Baby With The Bath Water: Dave Aitel’s Approach To INFOSEC
So yeah, a week or so ago I wrote a piece that in the end, kinda said I was retiring from the INFOSEC bitch slapping biz for a while. I went away, I began looking at other interests of mine and relaxing and things were good. Then I saw this article by Dave Aitel “former computer scientist at NSA” on the idea that teaching security awareness is useless.
Holy WTF? You have gotta be kidding me I thought and exclaimed out loud! Sure enough though, when I read it, I found myself agog at the idea of tossing awareness out of the water like the baby that Dave seems to be making it into from the old aphorism.
Article here: Why you shouldn’t train employees for security awareness
Dave, how could you be so smart about other things and yet so spectacularly stupid on others I wonder? I mean, all your other points about protections that should be in place in an environment are right on, though, you must realize that many places would need a HUGE re-architecture right to follow many of your ideas to fruition right? So, right there you have a non starter for many places that indeed would be better suited to have an awareness program.
But I digress…
Look boyo, by using APT as your “examples” of why its a fools errand to teach security awareness to the masses, is just a self serving and exceedingly short sighted means to your end of selling your services methinks. APT attacks like the ones you mention are always possible and do happen to many places, however, they are not the only thing coming in in waves to the employees of the world. There are plenty of other attacks including the SE attacks you speak of. All of these could be lessened in effectiveness and winning the day for the attackers “if” the employees are trained (a key word here trained, not for 4 hours, not one day, but repeatedly on these issues) You don’t send a kid to school to get a diploma for a day do you? No, you send them to 8 friggin years of school to get that diploma and maybe 4 – 8 more for a real education. See the analogy there Dave?
You train employees to protect not only from clicking on links or suspect emails Dave, but you also teach them good ethics, as well as security hygiene that will make your environment just that much better over time. The cumulative effect will help you secure the environment and in tandem with your technical means, make it all the better. This idea of just chucking awareness in the trash heap is useless and more than not, a dangerous idea you are selling to CSO’s and CIO’s who may not be as security savvy as they should be man, and in my book, you are now really treading closely to the “charlatan” status page on Attrition.org in my book.
What’s your next idea man? Outsource security to say India?
Look Dave, I know it’s a dog eat dog world out there today but really, cutting this cost as a sales pitch in CSO magazine? And such an epically bad idea too? Geez, I mean I thought BYOD was a bad idea, but it seems you would advocate not only that but also that you don’t demand that the end user devices be scanned for malware too huh? Security awareness is a process and human nature, as I have written about it here before, are hard things to control, but, without at least trying, you are opening up just another avenue of attack even with mitigations like the ones you pose in your article. What’s even more egregious is that you seem to think that awareness costs a lot of money? What? In DIB partners I have been in you just have the security team teach the recurring sessions as well as intakes. Then you have recurring online training that is done in house, it’s really not a bank breaker man. So, who the hell is spending gobs of money on it anyway if they are smart about it, and, if they are doing it at all.
See, that’s the other thing Dave, many places AREN’T doing it to start with. This is why people are so click happy as well as libel to just hand over a password! So here you are advocating that we dispense with it all because it is a foregone conclusion that the APT is gonna get us all in the end.
Dave, it’s time to smell the coffee and wake up.
Awareness training should be a staple of every environment and the awareness of the end user is important to stop attacks. I have personally seen it work in environments under my control. Will it stop every attack? No, but neither will all of your technical controls you are offering to sell to those who might be reading this quack article of yours.
Go back to your corner and put on the pointy hat Dave… You’re not “aware” enough to make these kinds of great prognostications and claims.