IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [user-education]

Education aimed at helping users meet their security-related responsibilities.

Many systems' security properties only hold when users follow certain rules. User education is aimed at making users aware of these rules. For example,

  • Letting managers know how to delegate enough authority without delegating all or without muddying audit logs by sharing their login credentials.
  • Preventing by letting employees know how to verify that the person on the other end of the phone is an employee with access rights or making it clear that all info requests go through the system.
  • Ensuring strong and making sure employees know not to share them with tech support.
  • etc.
93 questions
172
votes
26 answers

Convince people not to share their password with trusted others

IT workers are usually trusted by their family members who readily share passwords (Facebook, email, twitter, you-name-it!) so they can get easy help to set what-ever-parameter they don't find or explanation of a challenging situation. I always try…
Auzias
  • 1,518
  • 2
  • 8
  • 14
166
votes
10 answers

How do you explain the necessity of "nuke it from orbit" to management and users?

When a machine has been infected with malware, most of us here immediately identify the appropriate action as "nuke it from orbit" - i.e. wipe the system and start over. Unfortunately, this is often costly for a company, especially if backups are…
Polynomial
  • 132,208
  • 43
  • 298
  • 379
103
votes
19 answers

How to explain to traditional people why they should upgrade their old Windows XP device?

This is an issue I'm recurringly facing: older people from my family (or people who my family members know) can be surprisingly reluctant to apply most basic security measures when they're using their PCs. The particular issues vary, but this time…
gaazkam
  • 5,607
  • 11
  • 24
  • 37
89
votes
16 answers

How to tell users that they shouldn't disclose their password over the phone to our help desk?

I work for a help desk, and we recently launched an online service where our members can log in. A problem we are having is that users who are calling us often ask us to confirm that the password handed in to them is correct. By doing so, they…
Terry
  • 1,125
  • 1
  • 9
  • 16
88
votes
12 answers

When is phishing education going too far?

I currently work on the IT security team at my workplace in a senior role. Recently, I assisted management in designing the phishing / social engineering training campaigns, by which IT security will send out phishing "test" emails to see how aware…
Anthony
  • 1,736
  • 1
  • 12
  • 22
81
votes
19 answers

Good analogy needed: Sec issues due to different coders implementing the same features in different ways for the same app

I have to give a school presentation about vulnerabilities found in the Moodle platform. Of course, they only apply to a legacy version which has since been patched. The catch is that the presentation should be aimed at an audience with no technical…
SuperSpitter
  • 833
  • 1
  • 6
  • 5
74
votes
8 answers

Is forcing users to use a strong password effective?

I am designing a service that would, among other things, store sensitive information. To ensure no unauthorized access of this information, it would be encrypted with a key derived from their password (PBKDF2). The password will be stored in a…
Stephan Heijl
  • 813
  • 7
  • 11
71
votes
17 answers

Why do law-abiding citizens need strong security?

The layman's counter-argument I run in to for any complaint about inadequate security seems to always take the form: You don't need security if you aren't doing something illegal. This kind of response is frustrating to say the least. In part…
Ian C.
  • 820
  • 6
  • 8
66
votes
9 answers

Why does one need a high level of privacy/anonymity for legal activities?

This question is sort-of spun off of a previous one. Why do law-abiding citizens need strong security? There are a lot of great security-focused answers there. However, I think the true question that is brought up is more about privacy and…
Iszi
  • 26,997
  • 18
  • 98
  • 163
45
votes
8 answers

Should I bother teaching buffer overflows any more?

The students are skeptical that turning off non-executable stacks, turning off canaries and turning off ASLR represents a realistic environment. If PaX, DEP, W^X, etc., are effective at stopping buffer overflow exploits, is there still value in…
Fixee
  • 1,545
  • 2
  • 15
  • 24
40
votes
6 answers

Can malware be dangerous even when quarantined?

I am reading a book on network security and when talking about user confusion it writes: "It is not uncommon for a user to be asked security questions such as Is it safe to quarantine this attachment? With little or no direction, users are…
Peter Horniak
  • 503
  • 1
  • 4
  • 5
37
votes
6 answers

Teaching a loved one about secure coding practices

This might be far too narrow, but it is a unique problem to ITSec professionals. A loved one is just starting out in a new programming career and I get the joy of watching her learn the most basic programming concepts from scratch. She is at the top…
schroeder
  • 123,438
  • 55
  • 284
  • 319
34
votes
7 answers

How do I educate others about social engineering?

One of my friends used to boast about how long his passwords are. One day, I decided to play a prank and social-engineered it out of him. I was pretty surprised as to how effortless the entire procedure was, and how oblivious others can be. Many of…
Manishearth
  • 8,237
  • 5
  • 34
  • 56
33
votes
4 answers

How does an end user differentiate between OV and DV certificates?

This is a very good link that explains the different types of SSL certificates and level of trust provided by them. An Extended Validation (EV) certificate it is easily identified by the green color in the address bar and the name of the…
Shurmajee
  • 7,285
  • 5
  • 27
  • 59
32
votes
5 answers

How do I know if a Google Chrome extension is leaking data?

Many Google Chrome extensions require permissions to read the contents of webpages the user visits. How can the user verify whether and to what extent a certain Chrome extension leaks data?
gen
  • 1,660
  • 2
  • 18
  • 18
1
2 3 4 5 6 7