[unisog] Educating Users
flynngn at jmu.edu
Wed Aug 8 17:33:37 GMT 2001
"E. Larry Lidz" wrote:
> Rita Seplowitz Saltz writes:
> >The "good name" seems to me a good sales point.
> I'd love to hear other people's sales points.
We started out by giving senior management the overall picture
of what is happening on the Internet, here on campus, and the
possible effects. We didn't have to sell much. The incidents
and vulnerabilities spoke for themselves.
Then we started giving the same presentation to division heads
at their meetings. Eventually, people started asking "What can
I do at my particular computer" and R.U.N.S.A.F.E. was born.
Its now a 90 minute workshop.
An expanded version was given to all IT and lots of administrative
users. In that version, I spoofed an email message so it looked like
it came from IT or a department head. The message stated that a
hazardous new virus was spreading quickly around campus and everyone
needed to apply the attached Anti-Virus update manually. Prior to the
presentation, I had bound the SubSeven trojan to the Norton AV
update program and attached it to the spoofed email. In the
presentation, I showed how the update program ran normally, how
subseven notified me whenever someone ran the attachment, and what I
could do with it on the their computers. Skeptics became believers. :)
In the more standardized R.U.N.S.A.F.E. workshop, I tell people right
up front that I'm going to spend the first 30 minutes scaring them
and the next 60 giving them the knowledge and tools to protect
themselves. I don't have to make stuff up. I just tell them what
we've seen. Evaluations of the workshop have all been positive with
"everyone needs to see this" a common comment.
So I guess one could say our sales point is fear but its really
just explaining the current environment in terms of everyday
computer use. Its important that once awareness and concern
is raised this way, that tools and resources are provided to help
them regain a sense of comfort.
Individual sales points in that first 30 minutes are things like:
-instances of unpatched systems compromised within an hour of
being connected to the network
-what is compromised when someone else takes control of a
computer-FERPA, email, admin systems, shared drives, user
accounts on servers, instant messaging sessions, etc.
-possible legal and financial liability
-how the virus and worm writers have been relatively harmless to
us up to this point and what the alternatives may have been
-the alternative to controlling our own computers and communications
is having someone else do it for us
-the inherent vulnerabilities in our environment
-what it might mean if someone uses your computer to commit a crime
while you're at the keyboard
The next 60 minutes are spent discussing the first page of the
R.U.N.S.A.F.E.web site and making sure people can, at a minimum:
1) Check their AV software
2) Run Windows Update
3) Understand the implications of unknown code
The workshop "lab" is for them to go back to their desktops and
check their AV software, run Windows Update, and review the rest
of the R.U.N.S.A.F.E. materials.
Another sales point or motivator is that we distribute vulnerability
reports produced by a vulnerability scanner to all technical support
staff and their management. The vulnerabilities are sorted by
organization with stats like x out of y computers in this organization
have high risk vulnerabilities. Individual reports will also be emailed
to individual computer operators, including those in residence halls,
once some additional infrastructure is put in place.
Finally, security incidents go into the biweekly reports that go up
the line. A report like "the system was collecting passwords off the
network and was being accessed from four different countries" makes
everyone understand how interdependent we are.
This is all just starting to ramp up and I don't expect it
to have a big impact for at least another six months.
Security Engineer - Technical Services
James Madison University
More information about the unisog