Users are stupid
At the recent RSA Europe conference in London, security consultant Ira Winkler said something we’re not supposed to utter. To paraphrase, he said: “Users are stupid”.
We all know that computer users do stupid things. Infosecurity professionals within organisations must despair every time they hear, “Well, I clicked on the link because…” or “I gave him my password because…” followed by any one of a score of lame excuses.
Winkler was talking in the context of social engineering, which he believes is too broadly defined. True social engineering, he says, involves interaction between attacker and victim. Something like a phishing attack, or an email with a malicious payload, does not count. Talking about the infamous I Love You virus, Winkler said: “Nobody wants to say, ‘well it’s not really social engineering because you’re not interacting with the person, it’s just stupidity. But oh no, you can’t blame the user and call them stupid.’ Yes, you can blame the users and call them stupid.”
We all know that even the best security technologies, processes and policies can be undermined by people doing things they shouldn’t. Yet, except in cases of egregious lapses, or the clear and wilful breaking of the rules, we’re not meant to point the finger at user stupidity.
Infosecurity specialists and departments are meant to provide the infrastructure and training to protect the organisation, and this shouldn’t be dependent on the intelligence of end users. Similarly, security vendors are selling the technology and services, and aren’t about to accuse their customers of being staffed by morons. Even pen-testers can’t say users are stupid because no client wants to hear, “well your security systems are fine: the problem is that you hired idiots”.
Of course, none of this is meant to suggest that ALL users are stupid – not even most of them. But even smart people do dumb things from time to time and you only need one moment of weakness to open a security vulnerability. Just ask RSA.
So perhaps it’s a matter of degree. Winkler’s issue with the vagueness of the term ‘social engineering’ is that it makes it difficult to combat. You can’t form any sensible or effective countermeasures against something so amorphous. “If you overly define stupidity as [a reason for] being a victim of social engineering,” he said, “you’re not going to stop social engineering.”
So maybe we need to break this down a tad, to differentiate between actions that might be excused because the person was a victim of a genuinely skilled social engineering attack – such as we’re seeing as part of Advanced Persistent Threats (APTs) – and behaviour that simply shouldn’t be tolerated because it is plainly idiotic.
Winkler relates the story of a senior exec at a bank, responsible for millions of dollars in trades, who had written down his password on a sticky note attached to his monitor. What Winkler found particularly stupid, however, was that the password was a reference to an obscure fact in an obscure episode of Star Trek. The exec was able to remember that fact, but wasn’t able to remember that he’d made it his password.
To be fair, what constitutes ‘plain stupid’ will be different for the general public or ordinary members of staff than it is for security professionals. We’d like to think that writing your password on a sticky note is self-evidently wrong. The same goes for opening dubious files attached to dodgy emails. But if experience teaches us anything it’s that people are easily fooled.
This is where training comes in, backed up by policies. At the same time, perhaps it’s time to stop being so polite and, where appropriate, start labelling certain behaviours as clearly ‘stupid’.
[This post is a version of the editorial in the November issue of Computer Fraud & Security]
