Operations // Identity & Access Management
09:08 AM
Bob Covello
Bob Covello
Connect Directly

The Scariest End-User Security Question: What Changed?

Hitting employees over the head with fear, uncertainty, and doubt does little to help protect them from security threats. Is multi-factor authentication "by force" a better approach?

The other day, I was chatting with a friend who did not understand why she was all of a sudden having a problem connecting remotely to her office computer. I asked her what security product she had on her home machine, and she named one of the free products on the market. Of course, this caused me to shudder, as I thought everyone knew the phrase, "You get what you pay for."  

The conversation did not end there, however. My friend went on to say that she has been using the same laptop with the same settings for nine months "and it has been working fine." She then asked one the scariest questions that anyone could ask a security professional: "What changed?"

My mind raced through all of the answers that I wanted to tell her:

  • Nine months ago, Target was doing a happy retail business with no thought of a 110 million customer account breach. 
  • Nine months ago, Adobe was merely providing some software to 150 million users. 
  • Nine months ago, Ed Snowden was just a simple sub-contractor working for a government agency. 

While all this was swimming in my head, I realized that hitting the end-user over the head with everything that has gone wrong would probably do little to make her understand why her remote access had mysteriously changed. Explaining that the entire threat landscape has changed would be equally useless. The question that I really needed to answer was why security professionals (myself included) aren't connecting better with our audience to make them more sensitive about how to protect themselves?

One approach to security that has long been used in the law enforcement community is the use of fear -- a tactic that is only marginally effective when it comes to computer security. There is a vast difference between explaining the dangers of a loaded weapon in the hands of a teenager, and the dangers of an unsecured computer. People simply don’t put the same stock in computer security as they do in physical security. 

Another approach to security education is the use of uncertainty. As security practitioners, we have known for years that you can never build a 100% secure system. So, how do we reconcile that concept and still question users about their certainty about computer security? 

A very popular approach to security education is that of doubt. However, using doubt as an educational tool only makes us look like a bunch of arrogant know-it-alls. So, the three most ineffective methods available are Fear, Uncertainty, and Doubt, or FUD, as they are affectionately known in the security community.

The new normal: multi-factor by force?
The real problem is finding a way to make the end-user -- co-workers, friends, or family -- more active in their own security posture. Humor is one possibility though, while a witty approach (think John Stewart or Stephen Colbert) may be effective on TV or in comedy clubs, a funny joke or humorous anecdote won’t necessarily deliver a teachable moment that crosses cultures and is universally understood.

A new method of engaging users is "gamification," where security experts offer security education as a game to be played, complete with small rewards for correct responses. This can be fun and engaging in the short-term, but like most games, most people walk away from the gaming table and go back to their normal lives, forgetting the lessons of the game.

Right now, if a credit card is compromised, the user is not liable for any fraudulent charges. This is a good policy, as many of the credit card breaches are no fault of the user. But what about security breaches where the user is partially responsible? I’m thinking specifically of the common practice of using weak passwords on websites, which is a major attack vector for identity theft. Perhaps this can be the first step towards a more security-conscious society.

More aggressively, we are starting to see movement towards mandatory multi-factor authentication, as evidenced by the fingerprint reader on the latest iPhone.  (Thanks, Apple, for making multi-factor cool.) Some banking sites have implemented mandatory multi-factor login as well. An industry-wide use of "multi-factor by force" is exactly what is needed. I say this not to simply shift our users’ mindset, but to make it part of a new normal Internet behavior. 

If we can make multi-factor a part of the new security landscape rather than using FUD as part of the threat landscape, maybe that small, but necessary shift, will make users more receptive to changes that will protect them. As time progresses, this new user-awareness could have a wonderfully cascading effect of making people stop and think before clicking a malicious link or using a free security product. 

Or am I being too optimistic? 

Bob Covello is a 20-year technology veteran who is passionate about security-related topics.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
1/29/2014 | 9:58:08 AM
Too optimistic about multi-factor authentication 'by force'
I'll bite. Yes, Bob. I think you are being too optimistic. True, I've been hearing a lot lately about the death of passwords and the rise of multi-factor authentication. But that technology has been around for a long time. What's different now? 
<<   <   Page 2 / 2
Register for Dark Reading Newsletters
White Papers
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
According to industry estimates, about a million new IT security jobs will be created in the next two years but there aren't enough skilled professionals to fill them. On top of that, there isn't necessarily a clear path to a career in security. Dark Reading Executive Editor Kelly Jackson Higgins hosts guests Carson Sweet, co-founder and CTO of CloudPassage, which published a shocking study of the security gap in top US undergrad computer science programs, and Rodney Petersen, head of NIST's new National Initiative for Cybersecurity Education.