Humans Continue To Be "Weak Link" In Data Security 117
ChiefMonkeyGrinder writes "Nearly 90 percent of IT workers in the UK have said a laptop in their organization has been reported lost or stolen, new research has found. Sixty-one percent said that this then resulted in a data breach, according to the '2010 Human Factor in Laptop Encryption Study: United Kingdom,' a report produced by the Ponemon Institute for Absolute Software."
Security Failings (Score:5, Insightful)
Encryption and you (Score:5, Insightful)
Humans may be the weak link, but... (Score:2, Insightful)
Huh? (Score:1, Insightful)
This is news?
Re:Humans may be the weak link, but... (Score:3, Insightful)
Humans may be the weak link in information security, but the information is only useful to humans so its not as if we can remove ourselves from the system. Well, we could, and then go back to invisible inks, hand ciphers and cars that actually stop, but these days people probably wouldn't want to do that.
I'm glad we've moved past the Stone Age with their silly ideas about "braking systems". Things are so much better now without them.
:-)
Re:Security Failings (Score:5, Insightful)
Not only making it too hard, but making changes too frequent. If someone has to change their password once a month, they will have trouble remembering it. They'll make it as simple as the security will allow and write it down (maybe multiple places).
What it comes down to is if you feel the data you are protecting is important enough that it needs to have a complex password and such, what it really needs is two factor security. Something like a SecureID token or whatever. That makes it near impossible to break in as you have to get the password AND the token and you have to make use of it before the token's absence is noted.
Being a jerk about password policy is no replacement for a better security system over all, and in fact can make your stuff less secure than you think. You are ultimately dealing with people and as such you can't expect them to be perfect with their memories. You need to adapt your security to them, not demand they adapt.
You also have to simply accept that there's no such thing as perfect security. You can't have a system that can't be broken no matter what. Thus you need to make it as good as you can, have defense in depth (multiple security layers such that if one is breached not everything is bypassed), and remain vigilant.
Re:Security Failings (Score:5, Insightful)
Passphrases are the way forward. Ih4t3MSoft may well satisfy Microsoft's Secure Password policy of 7 characters, one upper, one lower case, one non-alphabetical. However, it's nowhere near as secure (from a brute-force perspective) as ihaterubbishmicrosoftsoftware.
N.B. Not Anti-MS trolling, just picking phrases as they come to mind.
One word: (Score:3, Insightful)
Re:Security Failings (Score:5, Insightful)
Draconian IT Security policies that end up achieving the opposite effect are caused by the same underlying problems as the theatrical Security that's currently done in most airports:
The blame here is in Management - rewards and punishement are distributed on the basis of easilly observable artifacts of The Work instead of looking at the hard to define and hard to measure Results.
This problem is very common in all kinds of professions and in most countries ...
Encryption isn't everything (Score:4, Insightful)
I'm not saying there aren't plenty of places that encryption is useful security, but I see it far oversold as a panacea. That something is encrypted doesn't mean it is secure. A great example of that would be copy protected games or movies. They use encryption to secure their data. Often it is quite good encryption. AACS uses 128-bit AES crypto, doesn't get much stronger or more tested than that. Yet, it is all for naught. Games are cracked, Blu-Rays are copied and so on. Why? Well because the decryption key is on the disc somewhere. Obfuscate all you like, if they key is there you are screwed.
Same deal with encryption is terms of security for your data. Encryption is useful for data in transit over insecure channels, the Internet being the main one. So long as only your computer and the remote computer have the key, there'll be no snooping on what is going on. Encryption is also useful against physical theft in the case of a laptop or something. If they grab the computer but can't get the password (and the computer isn't logged in or the like) then they can't get the data.
However encryption isn't useful a whole lot outside of that. For example encrypting data on your desktop won't do much against a remote attack. You have to get in to said data and so when you decrypt it, the key and/or data can be captured. You'd be just as well off with unencrypted data overall. Likewise encryption does little to nothing against a social engineering type of attack.
So I'm not saying "Don't use encryption," just that you should think about when to use it, if it is doing any good. Don't sell encryption as something you need to always do, because it isn't useful and can lead to a false sense of security.
Re:Security Failings (Score:5, Insightful)
Not only making it too hard, but making changes too frequent.
You always know you're dealing with someone incompetent when that's a requirement.
You need to change your pass code on door locks because the used digits begin to look physically different than the unused digits.
You need to change ENCRYPTION KEYS occasionally to avoid known plaintext attacks, some MITM issues, and some other esoteric stuff.
Encryption keys and door passcodes are kind of security related, and login passwords are security related, therefore they must be the same (if you're stupid) so you must change your login password on a regular basis.
Some people confuse two of the A's in AAA. Login passwords are for "authorization". "Accounting" is where you catch multiple people using the same login, not "authorization".
Finally there's the idiots that think good security must be inconvenient, therefore ANYTHING inconvenient must inherently be secure.
The only reason you have to change your password on a regular basis is basically, stupid people quoting other stupid people saying its important because they heard other stupid people saying it, aka an urban legend. Nothing more.
Oddly enough the same morons whom claim changing passwords increases security, also believe biometrics are more secure because you can't change your fingerprint... or can you?
Why allow imporant data on laptops at all? (Score:3, Insightful)
...without strong countermeasures to prevent the data from being exploited?
I guess I don't understand why, if some chunk of data is critically important, that the organization would allow it to be dragged out of the office on a laptop. The data should be required to stay in the office with access from outside the office only on a business-critical basis and with strong security requirements (ie, VPN-only accessable terminal server, all using RSA tokens).
And if it MUST go out of the office on a laptop, why aren't very strong encryption measures being taken into consideration, including whole-disk encryption with failed-access data wiping?
I see so many people with laptops who don't really need portability. Most of the time they have a laptop because it's a token of their importance to the organization or some kind of freebie (they have a desktop, too, but the laptop is so they can "work from home" but is really just a free home computer).
The other thing weird about this is that 61% of the lost laptops resulted in a security breach! Most of the people I've dealt with who had laptops were by and large wankers with company data of interest to almost no one; at worst you might be able to reverse a cached password or raid the browser passwords for something trivial.
And who is stealing laptops? In the US, a lot of that theft is just petty theft for quick cash -- drug addicts, gang members, losers looking for something they can pawn or turn on the street for $200. It's really not info security experts.
The reason why security is hard... (Score:3, Insightful)
... is because computers do exactly what they are told to do [smbc-comics.com].
FULL DISCLOSURE - Absolute Software (Score:1, Insightful)
Absolute Software - The absolute best way to track, manage and protect your digital world.
Tracking software to aid recovery of lost or stolen computers. Also software for hardware/software inventory and software license management.
There's a reason why Absolute Software is talking this up...
Just sayin'
Re:Why allow imporant data on laptops at all? (Score:3, Insightful)
And who is stealing laptops? In the US, a lot of that theft is just petty theft for quick cash -- drug addicts, gang members, losers looking for something they can pawn or turn on the street for $200. It's really not info security experts.
True, but the problem is you need to treat every theft like a security breach - So while an encrypted laptop with a SecurID token in the laptop bag was probably stolen by a junkie, you just don't know whether or not the final 'owner' is noodling through the data.
Re:Security Failings (Score:3, Insightful)
Making password resets that common is bad security practice in itself unless you have a good process in place for verifying the identity of the user requesting the reset. Far too many helpdesks will happily reset "your" password for you without even cursory checks as to who you are.
Uhm. DUH!?!?!? (Score:3, Insightful)
You can have your shit locked down 6 billion ways to Sunday.
The minute you introduce the human element into it, you have a massive security hole that can be patched, but NEVER closed.
You can train and train and train. Ennui sets in and their brains shut off after a while.
You can have the most draconian policies regarding proper usage. People will still circumvent it, accidentally or deliberately.
You can fire people. It just creates ill will and the damage is already done.
And, if it happens to be the owner of the company doing the circumvention there's jack and shit you can do about it.
I'm sorry, but anyone who tells you that security is about "keeping the bad guys out" is SELLING YOU SOMETHING (see: "How much for my large and stinky pile of crap?"). Nothing more.
Security is about putting enough roadblocks in place that attackers begin looking for easier targets so they can maximize their returns on time invested.
If someone wants into your systems bad enough, THEY WILL GET IN. Period.
The job of security is to make this interval as long as possible so they can maximize the chances of catching them before they get in or forcing them into something spectacular and HIGHLY traceable.