Malware "best practices"

Drew Van Zandt drew.vanzandt at gmail.com
Thu Jul 27 08:24:00 EDT 2006 

DTVZ has worked in "those places" and they had separate systems with
net access, and never the twain shall meet.  On the other hand, "those
places" had a more sensible policy.  If a user does something dumb[1]
once, that may well be enough to get them fired (or lose their
security clearance, which amounts to the same thing.)  If they did
something dumb[1] twice, it was pretty much guaranteed unless they
were, for some reason, indispensable.

No matter how many restrictions you pile on in the name of "protecting
the IT infrastructure", you'll never get the users to learn not to do
(new) dumb things unless there's a penalty for doing dumb things.  (As
long as the cost of screwing up is an externality, it won't affect
their decision-making.)  If the only thing you do is add restrictions,
then when something does get through (and it will) the only
group/person paying a penalty will be IT, which will lead to IT
setting more things up to prevent anything from happening that gets
them in trouble (which sounds pretty much like the current state of
"best practices") - none of this is IT's fault, but it certainly
doesn't help when someone's trying to get their job done and the
generic restrictions prevent it.  Do I have a different solution?
Probably not... the only thing that comes to mind is making it part of
employment policy that users pay (loss of wages) if they do something
dumb[2].  This doesn't sound like it would be popular, but then lots
of things aren't popular...and it would unfortunately probably have to
be worded along the lines of "if spyware/viruses are found installed
on your computer" rather than "if you inadvertently install (etc)".
There'd have to be an out for non-user infection paths, and that could
make it tough to word (see, I said I probably didn't have a solution.)

I see in the literature that "educating users" doesn't work... but the
education referenced is e.g. classes, as opposed to providing
incentive to learn.  Has anyone actually tried a "you pay for doing
dumb things" solution?

[1] "something dumb" is loosely defined, but would certainly include
installing pretty much anything on the classified net that wasn't
directly necessary for work.
[2] This time, it's get spyware installed on their computer, or run a
virus payload while trying to look at a "wicked" screensaver.

--DT "Doing dumb things should hurt" VZ

More information about the gnhlug-discuss mailing list