[unisog] Educating Users

Gary Flynn flynngn at jmu.edu
Wed Aug 8 17:33:37 GMT 2001


"E. Larry Lidz" wrote:
> 
> Rita Seplowitz Saltz writes:
> >The "good name" seems to me a good sales point.
> 
> I'd love to hear other people's sales points.

We started out by giving senior management the overall picture 
of what is happening on the Internet, here on campus, and the 
possible effects. We didn't have to sell much. The incidents
and vulnerabilities spoke for themselves.

Then we started giving the same presentation to division heads 
at their meetings. Eventually, people started asking "What can 
I do at my particular computer" and R.U.N.S.A.F.E. was born. 
Its now a 90 minute workshop.

An expanded version was given to all IT and lots of administrative 
users. In that version, I spoofed an email message so it looked like
it came from IT or a department head. The message stated that a
hazardous new virus was spreading quickly around campus and everyone
needed to apply the attached Anti-Virus update manually. Prior to the 
presentation, I had bound the SubSeven trojan to the Norton AV
update program and attached it to the spoofed email. In the 
presentation, I showed how the update program ran normally, how 
subseven notified me whenever someone ran the attachment, and what I 
could do with it on the their computers. Skeptics became believers. :)

In the more standardized R.U.N.S.A.F.E. workshop, I tell people right 
up front that I'm going to spend the first 30 minutes scaring them 
and the next 60 giving them the knowledge and tools to protect 
themselves. I don't have to make stuff up. I just tell them what
we've seen. Evaluations of the workshop have all been positive with 
"everyone needs to see this" a common comment.

So I guess one could say our sales point is fear but its really
just explaining the current environment in terms of everyday
computer use. Its important that once awareness and concern
is raised this way, that tools and resources are provided to help 
them regain a sense of comfort.

Individual sales points in that first 30 minutes are things like:
-instances of unpatched systems compromised within an hour of
 being connected to the network
-what is compromised when someone else takes control of a
 computer-FERPA, email, admin systems, shared drives, user
 accounts on servers, instant messaging sessions, etc.
-possible legal and financial liability
-how the virus and worm writers have been relatively harmless to
 us up to this point and what the alternatives may have been
-the alternative to controlling our own computers and communications
 is having someone else do it for us
-the inherent vulnerabilities in our environment
-what it might mean if someone uses your computer to commit a crime
 while you're at the keyboard

The next 60 minutes are spent discussing the first page of the 
R.U.N.S.A.F.E.web site and making sure people can, at a minimum:

1) Check their AV software
2) Run Windows Update
3) Understand the implications of unknown code

The workshop "lab" is for them to go back to their desktops and
check their AV software, run Windows Update, and review the rest 
of the R.U.N.S.A.F.E. materials.

Another sales point or motivator is that we distribute vulnerability 
reports produced by a vulnerability scanner to all technical support
staff and their management. The vulnerabilities are sorted by 
organization with stats like x out of y computers in this organization 
have high risk vulnerabilities. Individual reports will also be emailed
to individual computer operators, including those in residence halls, 
once some additional infrastructure is put in place.

Finally, security incidents go into the biweekly reports that go up 
the line. A report like "the system was collecting passwords off the 
network and was being accessed from four different countries" makes
everyone understand how interdependent we are.

This is all just starting to ramp up and I don't expect it
to have a big impact for at least another six months.

-- 
Gary Flynn
Security Engineer - Technical Services
James Madison University

Please R.U.N.S.A.F.E.
http://www.jmu.edu/computing/info-security/engineering/runsafe.shtml



More information about the unisog mailing list