Comments on: The human firewall

By: Eric Jacksch

Eric Jacksch — Fri, 19 Jun 2009 01:30:36 +0000

Even if you assume that 5% of the people had the technical skills and motiviation to check it out and then view the file, that still wouldn’t change the fact that over half of the things were viewed. It points to a security awareness education problem, and that’s all that Scott is trying to show.

By: Evolving Squid

Evolving Squid — Wed, 17 Jun 2009 13:10:32 +0000

The test also doesn’t allow for teh fact that someone finding the files may well have looked at them in an editor and chose to click the HTML, realizing that they were effectively safe.

This is probably what I would have done before wiping the thing.

By: kingthorin

kingthorin — Mon, 08 Jun 2009 14:11:58 +0000

Hey Eric/Scott, it wasn’t my intention to fault the concept behind the test, overall I agree it’s a great starting point for discussions. As I said it is likely that the majority of the tests users did in fact end up being IE/Windows. However, if possible it would be nice to see at least the User-agent breakdown of the associated web logs, even if it’s only used as further ammunition to suppress (or further engage) any naysayers.

By: Scott Wright

Scott Wright — Mon, 08 Jun 2009 13:33:49 +0000

You’re absolutely right that there are going to be exceptions which could skew the results. When I started the project I was expecting that the results would be significant if over 20% of the devices got used. But we’re up to 60% now. It’s starting to validate data from places like the Ponemon Institute that indicates up to 80% of data breaches result from insider actions (accidental or malicious).

Yes, we can argue the finer points. In the big picture, however, how confident would you be in one of your staff making the right decision when they face a real high-risk scenario?

FYI – There are a number of other articles I’ve written at http:/www.honeystickproject.com which is now part of my security awareness site, The Streetwise Security Zone.

I do invite comments. I get lots from IT people who often argue the same points as above. What’s missing is the business manager’s perspective. Most of them don’t know the risks because the IT managers are too busy to explain, or can’t put them into terms that business management understands. The first step is starting a discussion about the risks, with whatever data grabs their attention. The Honey Stick Project seems to be a good topic for many in this respect.

By: Eric Jacksch

Eric Jacksch — Mon, 08 Jun 2009 13:13:59 +0000

The quotes are from an interview with Scott and some info he emailed me. Hopefully he’ll chime in here.

It is possible that some of the USB sticks were ‘tested’ by security pros, but I’d willing to bet that most were by people who just shoved them into their machine and opened the files.

By: kingthorin

kingthorin — Mon, 08 Jun 2009 12:49:38 +0000

I don’t think he’s made a fair assessment. Just because someone accessed a file on the drive does not necessarily mean that they were operating in an environment he could infect/exploit.

What if they’d been operating from a Linux LiveCD which specifically didn’t mount local harddrives? Pretty safe.

What if autoplay was disabled for USB devices and they used FireFox w/ NoScript as their default browser? So they purposely launched a HTML file without allowing any active content big deal.

Granted these are all big “what if” scenarios and it’s likely that a huge percentage of his test cases were people using IE on Windows but it’s still a big assumption and the test or results as quoted here are lacking potentially important details.

Is the original article posted on Scott’s site somewhere? I looked quickly but didn’t see it.