SecMusings

There was an interesting post on the Security Bytes blog, reminding us that while many attacks are based on user susceptibility, it’s short sighted to just blame the users. While many of us have favorite nasty acronyms to describe our users, in fact, the fact that their behavior enables many cyber attacks is as much our fault as theirs. In many cases, the users have had insufficient training and awareness to know that their behavior is unwise. It is up to us as technologists and security professionals to educate our users.

It is also a big problem that the most prevalent operating system on the corporate desktop (Windows XP) is usually configured so that users have local administrative rights to their workstation. Again, it would be easy to blame the victim, in this case the systems staff, for leaving their users with local admin or power user rights, but the fact is that a lot of Windows applications break if the user does not have elevated rights. I know of at least one company that made a good faith effort to secure their desktop. The number of exceptions that had to be granted, and not just to software developers, was disheartening