There was an interesting conversation on Twitter today about security awareness and why the training so often fails. From my perspective, here's what I've seen:
- Most people know the basic rules.
- People will follow the basic rules until it interferes with something they want.
This is why security awareness generally fails. The problem isn't that folks aren't aware. If someone works in business nowadays and has to operate a computer for more than just a Point of Sale (POS) operation, that person likely knows the basic tips about security awareness. However, they still end up violating them.
- They click on links in emails from people they don't recognize.
- They open attachments promising to be the latest "funny" from people who don't normally send them.
- They write down their password because it's hard to remember.
- They share passwords to cover when people are out of office.
- They don't lock their workstation when they leave their work area.
These are basic rules. We've all been trained not to do them. However, when we are really curious and want to see some celebrity in a compromising position, we click the link. When we want to see the picture slideshow of kids doing crazy things, we open the attachment.
That's why the ideal system is the one people touch the least. When it comes to SQL Server, the folks who log on to the server should be few and the occurrences should be few and far between. The process to install something on a production server should meet with proper checks, because folks need to verify what's going on the server is okay to go on the server. Verification of server configs on a periodic basis, to include app installs, should happen and there should be some significant penalties/punishments to anyone caught knowingly violating the rules.
However, technology and processes only work as well as the people in charge of implementing them, the folks who must follow them, and the ones responsible for verifying they are being followed correctly. That's always going to be the weak link: people. To say we can architect the problem out of existence is to doubt the creativity of someone who wants to do something they don't feel is singificantly wrong. People are creative, especially when trying to do something folks don't want them to do. I never underestimate people and their capabilities. If you do, then you run the risk of being the weakest link.