When you talk about security with industry professionals and experts, one subject will almost invariably arise. No, not APT, DDoS or Threat Intelligence. Ok, well, maybe. In this case, I’m referring to “the people problem.” You’ve probably heard it described in a number of different ways. Let’s take a look at some of the more common ones.
Number one on the list is the weak, recycled password. You know the story. The most common passwords often look something like “password” or “123456.” The previous two examples have traded first and second place in the last couple of years. Then there’s the obvious recyclers like John Doe who uses the password “johndoe” for every account he owns. Speaking of passwords, how about all of those sticky notes hanging off computer monitors with usernames and passwords scribbled on them? Next, let’s talk about the “borrowed” usernames/passwords and another familiar scenario plays out. John Doe forgot his password and just needs to quickly grab a file so a coworker says, “just use my login.” Familiar?
Okay, let’s talk for a minute about physical security which is probably a better example of the “borrower.” Forgot your security access badge at home? No problem, just use mine. Have a visitor that needs access? Loan them your badge. Tired of having to badge in/out or open the door for guests? That’s why we keep that rock next to the door — just wedge it open. Many of you have probably at least witnessed, if not participated in, all of these at one time or another.
To be fair, these are the really obvious ones that any security professional will avoid by sheer habit or at least on principle. But what about the more subtle problems like computer malware? How does the average user know whether to approve the dialog box asking to install or upgrade software, especially if it’s cleverly disguised? Even more challenging: the phishing campaigns and social engineering that certainly appear safe and from a trusted source? Can we really expect the typical end user to discern whether that email from the IT department instructing them to click on an embedded link is legitimate?
Lastly, there’s what I’ll call the nuisance problem. The more we ask our beleaguered end users to understand and get involved in securing resources, the less they are likely to appreciate it. Why do you suppose those passwords are so lame in the first place? Because they are easy to remember. And, why are they so often reused and written down every where? Simple: the average user can’t remember 136 different username and password combinations. Sure, a good administrator will set a password policy similar to this: require a new password every 3 months with at least one lowercase letter, one uppercase letter, one special character, one number with minimum 10 total characters and no repeats of the last 10 passwords. Sound good? Maybe, if you only have one system to access but it’s more likely you have dozens, each with slightly different password minimum requirements.
I sometimes hear security professionals express frustration or exasperation about these naive end users. Vendors constantly promise to deliver them an “idiot proof” solution and yet there always seems to be a better idiot out there. I suggest we consider a different approach to security that can be measured in overall effectiveness and broad compliance. One that tries to bring usability and productivity to at least a close second, if not on par with security.
I realize this is easier said than done so here are a few discreet examples. Instead of giving users an unmanageable and inconsistent set of password requirements, give them some tools like integrated password management and secure password generation to ease the burden of remembering the “thing you know.” Look at augmenting with biometrics or two-factor authentication on mobile phones so the “thing you have” are not burdens but something they already have with them anyway.
Just like you’d run a pilot before rolling out new software, try the same with new security policies. You might just get some great feedback that will not only improve security, but also increase compliance and overall user satisfaction. Looking for a more automated or sophisticated solution? How about improving network-based detection and mitigation while lowering false positive rates? That would certainly cut down on the number of potentially bad decisions an end user could make. Providing a safer environment is something we can do and it doesn’t have to be so obtrusive.
The post Security’s People Problem appeared first on Arbor Insights - Our People, Products and Perspective.