Operations // Identity & Access Management
1/29/2014
09:08 AM
Bob Covello
Bob Covello
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail
100%
0%

The Scariest End-User Security Question: What Changed?

Hitting employees over the head with fear, uncertainty, and doubt does little to help protect them from security threats. Is multi-factor authentication "by force" a better approach?

The other day, I was chatting with a friend who did not understand why she was all of a sudden having a problem connecting remotely to her office computer. I asked her what security product she had on her home machine, and she named one of the free products on the market. Of course, this caused me to shudder, as I thought everyone knew the phrase, "You get what you pay for."  

The conversation did not end there, however. My friend went on to say that she has been using the same laptop with the same settings for nine months "and it has been working fine." She then asked one the scariest questions that anyone could ask a security professional: "What changed?"

My mind raced through all of the answers that I wanted to tell her:

  • Nine months ago, Target was doing a happy retail business with no thought of a 110 million customer account breach. 
  • Nine months ago, Adobe was merely providing some software to 150 million users. 
  • Nine months ago, Ed Snowden was just a simple sub-contractor working for a government agency. 

While all this was swimming in my head, I realized that hitting the end-user over the head with everything that has gone wrong would probably do little to make her understand why her remote access had mysteriously changed. Explaining that the entire threat landscape has changed would be equally useless. The question that I really needed to answer was why security professionals (myself included) aren't connecting better with our audience to make them more sensitive about how to protect themselves?

One approach to security that has long been used in the law enforcement community is the use of fear -- a tactic that is only marginally effective when it comes to computer security. There is a vast difference between explaining the dangers of a loaded weapon in the hands of a teenager, and the dangers of an unsecured computer. People simply don’t put the same stock in computer security as they do in physical security. 

Another approach to security education is the use of uncertainty. As security practitioners, we have known for years that you can never build a 100% secure system. So, how do we reconcile that concept and still question users about their certainty about computer security? 

A very popular approach to security education is that of doubt. However, using doubt as an educational tool only makes us look like a bunch of arrogant know-it-alls. So, the three most ineffective methods available are Fear, Uncertainty, and Doubt, or FUD, as they are affectionately known in the security community.

The new normal: multi-factor by force?
The real problem is finding a way to make the end-user -- co-workers, friends, or family -- more active in their own security posture. Humor is one possibility though, while a witty approach (think John Stewart or Stephen Colbert) may be effective on TV or in comedy clubs, a funny joke or humorous anecdote won’t necessarily deliver a teachable moment that crosses cultures and is universally understood.

A new method of engaging users is "gamification," where security experts offer security education as a game to be played, complete with small rewards for correct responses. This can be fun and engaging in the short-term, but like most games, most people walk away from the gaming table and go back to their normal lives, forgetting the lessons of the game.

Right now, if a credit card is compromised, the user is not liable for any fraudulent charges. This is a good policy, as many of the credit card breaches are no fault of the user. But what about security breaches where the user is partially responsible? I’m thinking specifically of the common practice of using weak passwords on websites, which is a major attack vector for identity theft. Perhaps this can be the first step towards a more security-conscious society.

More aggressively, we are starting to see movement towards mandatory multi-factor authentication, as evidenced by the fingerprint reader on the latest iPhone.  (Thanks, Apple, for making multi-factor cool.) Some banking sites have implemented mandatory multi-factor login as well. An industry-wide use of "multi-factor by force" is exactly what is needed. I say this not to simply shift our users’ mindset, but to make it part of a new normal Internet behavior. 

If we can make multi-factor a part of the new security landscape rather than using FUD as part of the threat landscape, maybe that small, but necessary shift, will make users more receptive to changes that will protect them. As time progresses, this new user-awareness could have a wonderfully cascading effect of making people stop and think before clicking a malicious link or using a free security product. 

Or am I being too optimistic? 

Bob Covello is a 20-year technology veteran who is passionate about security-related topics.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/29/2014 | 9:58:08 AM
Too optimistic about multi-factor authentication 'by force'
I'll bite. Yes, Bob. I think you are being too optimistic. True, I've been hearing a lot lately about the death of passwords and the rise of multi-factor authentication. But that technology has been around for a long time. What's different now? 
<<   <   Page 2 / 2
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7896
Published: 2015-03-03
Multiple cross-site scripting (XSS) vulnerabilities in HP XP P9000 Command View Advanced Edition Software Online Help, as used in HP Device Manager 6.x through 8.x before 8.1.2-00, HP XP P9000 Tiered Storage Manager 6.x through 8.x before 8.1.2-00, HP XP P9000 Replication Manager 6.x and 7.x before ...

CVE-2014-9283
Published: 2015-03-03
The BestWebSoft Captcha plugin before 4.0.7 for WordPress allows remote attackers to bypass the CAPTCHA protection mechanism and obtain administrative access via unspecified vectors.

CVE-2014-9683
Published: 2015-03-03
Off-by-one error in the ecryptfs_decode_from_filename function in fs/ecryptfs/crypto.c in the eCryptfs subsystem in the Linux kernel before 3.18.2 allows local users to cause a denial of service (buffer overflow and system crash) or possibly gain privileges via a crafted filename.

CVE-2015-0656
Published: 2015-03-03
Cross-site scripting (XSS) vulnerability in the login page in Cisco Network Analysis Module (NAM) allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka Bug ID CSCum81269.

CVE-2015-0890
Published: 2015-03-03
The BestWebSoft Google Captcha (aka reCAPTCHA) plugin before 1.13 for WordPress allows remote attackers to bypass the CAPTCHA protection mechanism and obtain administrative access via unspecified vectors.

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.