February 20, 2012 | San Diego, CA

Security awareness, security breaches, and the abuse of “stupid”

 

Computer security is not created, nor is it improved, by calling people stupid. That's the conclusion I have arrived at after more than two decades in computer security and auditing. To put it another way, we should stop dropping the "S" bomb, especially when it comes to people who don't know any better.

Consider the phenomenon of people posting photos of credit cards on Facebook, a sort of self-inflicted security breach. Your first reaction might be "Is that stupid or what?"

In my opinion the "or what?" is a fair question, one that I thought about this President's Day, a day when a lot of credit cards in America get a good workout (with the notable exception of the one in this picture).

Note that what you're seeing is a doctored version of what actually appeared on Facebook, where the details on the front of credit card were clearly visible. These have been masked in this screenshot, along with other identifying information (I have tried to find out who produced the above image in order to give them credit, as it were, but so far I've not succeeded).

Also note that the person who posted the pic does not seem to be the card owner, so it's not a case of "stupid kid posts photo of his first credit card" which is how some bloggers described it (although I am sure there are cases of that kind as well). No, this is just a case of a person, possibly a parent, being proud of that "first credit card" moment, and wanting to share it with friends and family. This person was probably in the same state of mind as many other Facebook users who:

A. Think of Facebook as a place to share things with a few select friends, but have not adjusted their "share" settings accordingly, and;

B. Under-estimate the number of people who are willing to take advantage of their fellow human beings.

In other words "they don't know any better" and possibly lack the kind of life experiences that make other people think twice about putting a photo like that online. Now, I don't know what percentage of Facebook's 800+ million users are currently A+B positive, so to speak, but they represent a rich vein of potentially exploitable persons. Fraudsters and scam artists are keen to mine that vein, as evidenced by the constant appearance of new deceptions documented by websites like Facecrooks.

What should really be of concern to companies, and society at large, is that these A+B folks are not just a target on Facebook. Criminals are targeting users who lack security awareness across a wide range of information systems. They are crafting attacks that rely on exploiting digital device users who have little or no security training.

So the next time you hear infosec professionals bemoaning the stupidity of users you need to ask: "Are they stupid because they are ignoring the security training they received, or are they doing stupid things because we have failed, as an organization, and as a society, to teach them to know better?"

And while we're at it, what say we cut Shannon and Dustin a break!