Home => The wrong question
|[Formatted for Printing]||From the personal web site of Michael Horowitz|
May 30, 2019
Brian Krebs recently asked Should Failing Phish Tests Be a Fireable Offense? To me, this is the wrong question.
Underlying the question is that an employee who succumbs to the scam in a phishing email can cause great harm. Perhaps their computer gets infected with some type of malicious software. Perhaps that software spreads over the network to cause major damage to the entire company. To counter this potential danger, companies make a living training people to spot common email-born scams.
How ridiculous is this?
If you see a car from the 1920s, you can't help but realize the safety features it's missing. Likewise, computer nerds in the future will ridicule the way we live now. And those future nerds will be right - the current state of the art is moronic. Disgracefully so.
That a simple mistake by a non-technical person can cripple a company is not on the non-techie. Its on the nerds, and their management, that created the environment in the first place. The question should not be whether a non techie employee gets disciplined, its why upper management tolerates such a fragile environment. Having a non-technical person be your single point of failure, is clearly a design flaw.
Yes, training is needed, but what's needed is educating non-techies on how to tell if a website is fake or not. Maybe if John Podesta knew to only enter his Gmail password at gmail.com and not at secure-gmail-login.com, no matter what it looked like, his password never would have leaked. Much of this training can be found in the section about Understanding Domain Names at my Defensive Computing Checklist site.
Non-techies being tricked into divulging a password is not so much their fault as it is the fault of IT for not using two factor authentication for important systems. Likewise, if employees are tricked into installing malicious software, there is no reason their computers can't be rolled back to an earlier state. If the malicious software is ransomware, encrypting shared network files, well, those files should be stored in a file system that can, likewise, be rolled back to a prior state. My point is not to endorse any particular technical solution but rather to point out the BIG picture.
We are driving drunk at night in an ice storm without seatbelts. Don't blame the children in the back seat.
Update: June 13, 2019. I ran across a kindred spirit in Jim Salter. On the June 11th episode of the Jupiter Broadcasting TechSnap podcast, Salter said:
"If you are a business admin, and we are talking about your servers, there is no excuse any more, you should be able to do that (roll back to a recent snapshot). You should have virtualized servers in your infrastructure, you should not be running Windows server on the bare metal. And, if you are not confident in your ability to roll back to an hourly snapshot, and you should have at least 24 of them on hand, if you dont feel confident that you can do that without issue in 5 or 10 minutes from when you sit down at the machine, you need to re-work your infrastructure. You are behind the times. There is really no excuse for that any more. It does not have to cost you a ton of money."
|@defensivecomput||TOP||Home => The wrong question|
|michael--at--michaelhorowitz.com||Last Updated: June 13, 2019 5 PM|