Operations // Identity & Access Management
1/29/2014
09:08 AM
Bob Covello
Bob Covello
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail
100%
0%

The Scariest End-User Security Question: What Changed?

Hitting employees over the head with fear, uncertainty, and doubt does little to help protect them from security threats. Is multi-factor authentication "by force" a better approach?

The other day, I was chatting with a friend who did not understand why she was all of a sudden having a problem connecting remotely to her office computer. I asked her what security product she had on her home machine, and she named one of the free products on the market. Of course, this caused me to shudder, as I thought everyone knew the phrase, "You get what you pay for."  

The conversation did not end there, however. My friend went on to say that she has been using the same laptop with the same settings for nine months "and it has been working fine." She then asked one the scariest questions that anyone could ask a security professional: "What changed?"

My mind raced through all of the answers that I wanted to tell her:

  • Nine months ago, Target was doing a happy retail business with no thought of a 110 million customer account breach. 
  • Nine months ago, Adobe was merely providing some software to 150 million users. 
  • Nine months ago, Ed Snowden was just a simple sub-contractor working for a government agency. 

While all this was swimming in my head, I realized that hitting the end-user over the head with everything that has gone wrong would probably do little to make her understand why her remote access had mysteriously changed. Explaining that the entire threat landscape has changed would be equally useless. The question that I really needed to answer was why security professionals (myself included) aren't connecting better with our audience to make them more sensitive about how to protect themselves?

One approach to security that has long been used in the law enforcement community is the use of fear -- a tactic that is only marginally effective when it comes to computer security. There is a vast difference between explaining the dangers of a loaded weapon in the hands of a teenager, and the dangers of an unsecured computer. People simply don’t put the same stock in computer security as they do in physical security. 

Another approach to security education is the use of uncertainty. As security practitioners, we have known for years that you can never build a 100% secure system. So, how do we reconcile that concept and still question users about their certainty about computer security? 

A very popular approach to security education is that of doubt. However, using doubt as an educational tool only makes us look like a bunch of arrogant know-it-alls. So, the three most ineffective methods available are Fear, Uncertainty, and Doubt, or FUD, as they are affectionately known in the security community.

The new normal: multi-factor by force?
The real problem is finding a way to make the end-user -- co-workers, friends, or family -- more active in their own security posture. Humor is one possibility though, while a witty approach (think John Stewart or Stephen Colbert) may be effective on TV or in comedy clubs, a funny joke or humorous anecdote won’t necessarily deliver a teachable moment that crosses cultures and is universally understood.

A new method of engaging users is "gamification," where security experts offer security education as a game to be played, complete with small rewards for correct responses. This can be fun and engaging in the short-term, but like most games, most people walk away from the gaming table and go back to their normal lives, forgetting the lessons of the game.

Right now, if a credit card is compromised, the user is not liable for any fraudulent charges. This is a good policy, as many of the credit card breaches are no fault of the user. But what about security breaches where the user is partially responsible? I’m thinking specifically of the common practice of using weak passwords on websites, which is a major attack vector for identity theft. Perhaps this can be the first step towards a more security-conscious society.

More aggressively, we are starting to see movement towards mandatory multi-factor authentication, as evidenced by the fingerprint reader on the latest iPhone.  (Thanks, Apple, for making multi-factor cool.) Some banking sites have implemented mandatory multi-factor login as well. An industry-wide use of "multi-factor by force" is exactly what is needed. I say this not to simply shift our users’ mindset, but to make it part of a new normal Internet behavior. 

If we can make multi-factor a part of the new security landscape rather than using FUD as part of the threat landscape, maybe that small, but necessary shift, will make users more receptive to changes that will protect them. As time progresses, this new user-awareness could have a wonderfully cascading effect of making people stop and think before clicking a malicious link or using a free security product. 

Or am I being too optimistic? 

Bob Covello is a 20-year technology veteran who is passionate about security-related topics.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/30/2014 | 11:03:20 AM
Re: Too optimistic about multi-factor authentication 'by force'
That might work for me if my cat cooperates!
Bob Covello
50%
50%
Bob Covello,
User Rank: Apprentice
1/30/2014 | 10:58:57 AM
Re: Too optimistic about multi-factor authentication 'by force'
"I tried once and forgot the password" - GASP!

One person submitted this method of never losing the password: He had the password embossed on a dog tag that was then placed on the neck of his Doberman.  How's THAT for a level of security?

 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/30/2014 | 10:49:40 AM
Re: Too optimistic about multi-factor authentication 'by force'
You make a good point about the Lost / Stolen / Broken / Drowned device. As for password managers, (embarassingly painful admission) I tried one once and then forgot the password. 
Bob Covello
50%
50%
Bob Covello,
User Rank: Apprentice
1/30/2014 | 10:45:37 AM
Re: Too optimistic about multi-factor authentication 'by force'
Marilyn:

I agree in part with the statement that "everyone" has a cell phone, but in the many years that I have been working supporting those mobile devices, the Lost / Stolen / Broken / Drowned devices exceeds the number of retained devices.

No one can afford to carry two phones simply to have a backup for authentication, but for a small fee, one can register multiple Yubikey devices on the same account. 

I hope you don't mind my constant mention of the Yubikey device, but it just seems to work perfectly when coupled with the correct password manager.

Password manager??  That is a topic of another discussion ...

 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/30/2014 | 10:08:15 AM
Re: Too optimistic about multi-factor authentication 'by force'
Bob, I think the ubiquitous cell-phone is perfect as a Multi-factor authentication device. Everyone has one! What's your issue with them. 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/30/2014 | 10:05:50 AM
Re: Too optimistic about multi-factor authentication 'by force'
So as long as the losses are lower than the cost of doing things right, people will continue to have security issues over and over again.

Clement, I can't disagree with your argument about the ROI on security investements. It's the reason Target backed backed off its endorsement of smart cards a decade ago. But just last week Target CEO Gregg Steinhafel called on other retailers and banks to push for EMV adoption. Will anything change? I don't know but I certainly hope so. 
Bob Covello
50%
50%
Bob Covello,
User Rank: Apprentice
1/29/2014 | 12:18:24 PM
Re: Too optimistic about multi-factor authentication 'by force'
Marilyn:

Two things are different now: First is the amazing volume of compromises that we have been witnessing.
Second: up until a few years ago, most folks did not carry a 2nd Factor authenticator with them. 
I am not a strong supporter of the cell-phone as a multi-factor device, but one cannot deny the behavioral change it has caused. I am challenged to find anyone who is without a cell-phone.
(I prefer a one-time-password generator such as the Yubico Yubikey - smaller than a cell phone and way more durable, but not in universal use YET.)
Bob Covello
50%
50%
Bob Covello,
User Rank: Apprentice
1/29/2014 | 11:59:26 AM
Re: Too optimistic about multi-factor authentication 'by force'
Clement:

Thanks for your thoughful response.

I am confident that the USA will soon be changing their credit card technology, as there will start to be a public outcry.  The idea that a person cannot buy something as simple as a pair of socks at Target, or a glue stick at Michael's without putting their identity at risk will begin to have an impact.  There I go being an optimist again!

For any of the readers who are not familiar with Clement, he is a MASTER at security-related information.  His tireless efforts at educating others is legendary, and his web site is an essential tool for anyone who wants to pass any InfoSec Exam.  https://www.cccure.com/cart/

I am flattered and honored to be in such good company!

 
clementdupuis
50%
50%
clementdupuis,
User Rank: Apprentice
1/29/2014 | 10:44:02 AM
Re: Too optimistic about multi-factor authentication 'by force'
Good day Bob,

The problem is not one of technology, the problem is one of attitude toward security.

Security should be risk based, however today in the USA it is based on  total loss versus cost of doing things right.   So as long as the losses are lower than the cost of doing things right, people will continue to have security issues over and over again.


The use of taken based authentication tools have been used in Europe for years, I am talking more than a decade in most countries.  It is only catching up in North America.

We bitch about card theft, but yet we still dont have chip enabled cards which would greatly help in such cases.   Once again cost of card replacement versus potential losses. 

Answering your question:  What has changed?  When I look at computer security nothing has changed and it is unlikely to change quickly in the future.  History is repeating itself over and over again.  You just change the name of the company that was the victim and the reminder of the text would still apply.


Best regard

Clement

 

 
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
1/29/2014 | 10:32:31 AM
Re: Too optimistic about multi-factor authentication 'by force'
I think multi-factor authentication for consumers is a good idea, and mobile phones make it easier because that can serve as a second factor (the standard user-name/password is something you know, and the phone is something you have). The provider can send a text message with a code that the user can enter into a site, whether as part of the log-in or for something like requesting a password change. It's not perfect, but it's much more manageable for the consumer than having to juggle a bunch of hardware tokens or waiting for every computing device to come with a fingerprint reader.
Page 1 / 2   >   >>
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-1032
Published: 2014-09-17
Cross-site scripting (XSS) vulnerability in the Euroling SiteSeeker module 3.x before 3.4.5 for EPiServer allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party inf...

CVE-2012-1417
Published: 2014-09-17
Multiple cross-site scripting (XSS) vulnerabilities in Local Phone book and Blacklist form in Yealink VOIP Phones allow remote authenticated users to inject arbitrary web script or HTML via the user field to cgi-bin/ConfigManApp.com.

CVE-2012-1506
Published: 2014-09-17
SQL injection vulnerability in the updateStatus function in lib/models/benefits/Hsp.php in OrangeHRM before 2.7 allows remote authenticated users to execute arbitrary SQL commands via the hspSummaryId parameter to plugins/ajaxCalls/haltResumeHsp.php. NOTE: some of these details are obtained from th...

CVE-2012-1507
Published: 2014-09-17
Multiple cross-site scripting (XSS) vulnerabilities in OrangeHRM before 2.7 allow remote attackers to inject arbitrary web script or HTML via the (1) newHspStatus parameter to plugins/ajaxCalls/haltResumeHsp.php, (2) sortOrder1 parameter to templates/hrfunct/emppop.php, or (3) uri parameter to index...

CVE-2012-2583
Published: 2014-09-17
Cross-site scripting (XSS) vulnerability in Mini Mail Dashboard Widget plugin 1.42 for WordPress allows remote attackers to inject arbitrary web script or HTML via the body of an email.

Best of the Web
Dark Reading Radio