By Nick Race. Nick is Country Manager for New Zealand for Arbor Networks, a leading provider of DDoS and advanced threat protection solutions for enterprise and service provider networks.
When you talk about modern day technology security with industry professionals and experts, one subject will almost invariably arise, and I am not talking about sophisticated technology threats like I normally do including DDoS or even hacking. In this case, I’m referring to “the people problem”.
If the multiple defences that Australian companies set up to keep their networks secure is looked at as a chain, the people are often the weak link. The reason for that is not that employees are stupid, or malicious, or don't care about security. More often than not, it's simply a lack of education. Let’s take a look at some of the more common problems that can occur.
Number one on the list is the weak, recycled password. You know the story; the most common passwords often look something like “password” or “123456”. The previous two examples have switched from first and second place a few times in the last couple of years.
Next, there’s the obvious recyclers like John Smith who uses the password “johnsmith” for every account he owns. Speaking of passwords, offices across the country are full of sticky notes hanging off computer monitors with usernames and passwords scribbled on them and there are those who think they are being clever saving them into their contacts or a file called “passwords”, which is not so great when their laptop is stolen and there’s no password security to access it.
Then we should talk about the “borrowed” usernames/passwords and another familiar scenario plays out. John Smith forgot his password and just needs to quickly grab a file so a colleague says: “you can just use my login.” Sound familiar? This happens all too often in workplaces across Australia.
We should also think about physical security, which is probably a better example of the “borrower.” Forgot your security access badge at home? No problem, just use mine. Have a visitor that needs access? Loan them your badge. Tired of having to badge in/out or open the door for guests? That’s why we keep that rock next to the door -- just wedge it open. Many of you have probably at least witnessed, if not participated in, all of these at one time or another.
To be fair, these are the really obvious ones that any security professional will avoid by sheer habit or at least on principle. But what about the more subtle problems like computer malware? How does the average user know whether to approve the dialogue box asking to install or upgrade software, especially if it’s cleverly disguised? Even more challenging are the phishing campaigns and social engineering that certainly appear safe and look like they are from a trusted source. Can we really expect the typical end user to know whether that email from the IT department instructing them to click on an embedded link is legitimate?
Lastly, there’s what I’ll call the nuisance problem. The more we ask our beleaguered end users to understand and get involved in securing resources, the less they are likely to appreciate it. Why do you suppose those passwords are so lame in the first place? Because they are easy to remember! And, why are they so often reused and written down everywhere? Simple: the average user can’t remember 136 different username and password combinations. Sure, a good administrator will set a password policy similar to this: require a new password every three months with at least one lowercase letter, one uppercase letter, one special character, one number with minimum ten total characters and no repeats of the last ten passwords. Sound good? Maybe, if you only have one system to access, but it’s more likely you have dozens, each with slightly different password minimum requirements.
I sometimes hear security professionals express frustration or exasperation about these naive end users. Vendors constantly promise to deliver them an “idiot proof” solution and yet there always seems to be a better idiot out there. I suggest we consider a different approach to security that can be measured in overall effectiveness and broad compliance - one that tries to bring usability and productivity to at least a close second, if not on par with security.
I realise this is easier said than done so here are a few discreet examples. Instead of giving users an unmanageable and inconsistent set of password requirements, give them some tools like integrated password management and secure password generation to ease the burden of remembering the “thing you know.” Look at augmenting with biometrics or two-factor authentication on mobile phones so the “thing you have” are not burdens, but something they already have with them anyway.
Just like you’d run a pilot before rolling out new software, try the same with new security policies. You might just get some great feedback that will not only improve security, but also increase compliance and overall user satisfaction. Looking for a more automated or sophisticated solution? How about improving network-based detection and mitigation while lowering false positive rates? That would certainly cut down on the number of potentially bad decisions an end user could make. Providing a safer environment is something we can do and it doesn’t have to be so obtrusive.