Wednesday, September 10, 2014

It's Always the User's Fault...

Throughout our career as Information Technology/Security professionals, we have, at one point or another, blamed a user for the problem.  Granted there are some pretty good cases out there where it certainly is their fault; for example, using the CD tray as a coffee cup holder, or spilling soda in the keyboard then denying that they did it, and maybe attempting to fix the problem themselves and only making it worse.  Seriously, one time I was working for University and I had to come up and check on a staff member's computer.  I look at it and see a bunch of the power cables hanging out of the case.  I look at them and ask if they attempted to fix it themselves, and they straight up denied it.  So yeah we like to blame them for most, if not all of the problems.  In Security we are no better.

The debate is a hot one these past few weeks in lieu of the latest series of breaches, in particular the celebrity photos being leaked.  Now our first two comments on the matter are usually "You shouldn't take nude photos of yourself with your phone if you don't want it on the internet..." and "Why are you not using strong passwords!!?!?!?!"  To those of us in security, these things are just common sense.  For those not in this particular industry, they put trust in us to secure a system so they don't have to worry about such things.  This is a pretty logical assumption from someone NOT in the security profession.  But we all no better, don't we?  Contrary to popular belief, this is something that was not instantly built into our DNA.  It took years of experience to make us hardened pessimists of all things tech.  We have seen what happens when things don't work right.  We have worked for companies who have cut corners on a product just to get it out the door.  We all know security is looked upon as a cost center, not a revenue driver.  So if it comes down to making a product so simple to use that even the likes of the Kardashians can figure it out, then sometimes security is tossed out.

Can you make things extremely functional without skimping on security?  Certainly!  Is it easy?  Hell no!  But then if it was, many of us would not have jobs.  So how do we fix this?  After all it is a growing problem that doesn't seem to get better despite everything we tweet and post about.  I think first, the main stream media just needs to stop... seriously, they are horrible at covering these types of news stories.  Rather they need to get more REAL experts to comment and offer sensible recommendations.  The larger news outlets are getting better at it by bringing folks in like Dave Kennedy (Trusted Sec) or tapping Dan Kaminski.  But the smaller stations are really not there.  So if you know folks at your local news organizations, reach out to them and let them know you have the answers!  As for the companies who make these products, well the only way we can help is by taking on the difficult position of working for them and making things right.  Then again, they have to be willing to compensate such positions appropriately.

Ok, I think that is it.  Guess I'll shut up for now.  I have some letters to write to my local news outlets!