Operations // Identity & Access Management
1/29/2014
09:08 AM
Bob Covello
Bob Covello
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail
100%
0%

The Scariest End-User Security Question: What Changed?

Hitting employees over the head with fear, uncertainty, and doubt does little to help protect them from security threats. Is multi-factor authentication "by force" a better approach?

The other day, I was chatting with a friend who did not understand why she was all of a sudden having a problem connecting remotely to her office computer. I asked her what security product she had on her home machine, and she named one of the free products on the market. Of course, this caused me to shudder, as I thought everyone knew the phrase, "You get what you pay for."  

The conversation did not end there, however. My friend went on to say that she has been using the same laptop with the same settings for nine months "and it has been working fine." She then asked one the scariest questions that anyone could ask a security professional: "What changed?"

My mind raced through all of the answers that I wanted to tell her:

  • Nine months ago, Target was doing a happy retail business with no thought of a 110 million customer account breach. 
  • Nine months ago, Adobe was merely providing some software to 150 million users. 
  • Nine months ago, Ed Snowden was just a simple sub-contractor working for a government agency. 

While all this was swimming in my head, I realized that hitting the end-user over the head with everything that has gone wrong would probably do little to make her understand why her remote access had mysteriously changed. Explaining that the entire threat landscape has changed would be equally useless. The question that I really needed to answer was why security professionals (myself included) aren't connecting better with our audience to make them more sensitive about how to protect themselves?

One approach to security that has long been used in the law enforcement community is the use of fear -- a tactic that is only marginally effective when it comes to computer security. There is a vast difference between explaining the dangers of a loaded weapon in the hands of a teenager, and the dangers of an unsecured computer. People simply don’t put the same stock in computer security as they do in physical security. 

Another approach to security education is the use of uncertainty. As security practitioners, we have known for years that you can never build a 100% secure system. So, how do we reconcile that concept and still question users about their certainty about computer security? 

A very popular approach to security education is that of doubt. However, using doubt as an educational tool only makes us look like a bunch of arrogant know-it-alls. So, the three most ineffective methods available are Fear, Uncertainty, and Doubt, or FUD, as they are affectionately known in the security community.

The new normal: multi-factor by force?
The real problem is finding a way to make the end-user -- co-workers, friends, or family -- more active in their own security posture. Humor is one possibility though, while a witty approach (think John Stewart or Stephen Colbert) may be effective on TV or in comedy clubs, a funny joke or humorous anecdote won’t necessarily deliver a teachable moment that crosses cultures and is universally understood.

A new method of engaging users is "gamification," where security experts offer security education as a game to be played, complete with small rewards for correct responses. This can be fun and engaging in the short-term, but like most games, most people walk away from the gaming table and go back to their normal lives, forgetting the lessons of the game.

Right now, if a credit card is compromised, the user is not liable for any fraudulent charges. This is a good policy, as many of the credit card breaches are no fault of the user. But what about security breaches where the user is partially responsible? I’m thinking specifically of the common practice of using weak passwords on websites, which is a major attack vector for identity theft. Perhaps this can be the first step towards a more security-conscious society.

More aggressively, we are starting to see movement towards mandatory multi-factor authentication, as evidenced by the fingerprint reader on the latest iPhone.  (Thanks, Apple, for making multi-factor cool.) Some banking sites have implemented mandatory multi-factor login as well. An industry-wide use of "multi-factor by force" is exactly what is needed. I say this not to simply shift our users’ mindset, but to make it part of a new normal Internet behavior. 

If we can make multi-factor a part of the new security landscape rather than using FUD as part of the threat landscape, maybe that small, but necessary shift, will make users more receptive to changes that will protect them. As time progresses, this new user-awareness could have a wonderfully cascading effect of making people stop and think before clicking a malicious link or using a free security product. 

Or am I being too optimistic? 

Bob Covello is a 20-year technology veteran who is passionate about security-related topics.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/29/2014 | 9:58:08 AM
Too optimistic about multi-factor authentication 'by force'
I'll bite. Yes, Bob. I think you are being too optimistic. True, I've been hearing a lot lately about the death of passwords and the rise of multi-factor authentication. But that technology has been around for a long time. What's different now? 
<<   <   Page 2 / 2
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, January 2015
To find and fix exploits aimed directly at your business, stop waiting for alerts and become a proactive hunter.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7402
Published: 2014-12-17
Multiple unspecified vulnerabilities in request.c in c-icap 0.2.x allow remote attackers to cause a denial of service (crash) via a crafted ICAP request.

CVE-2014-5437
Published: 2014-12-17
Multiple cross-site request forgery (CSRF) vulnerabilities in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) enable remote management via a request to remote_management.php,...

CVE-2014-5438
Published: 2014-12-17
Cross-site scripting (XSS) vulnerability in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allows remote authenticated users to inject arbitrary web script or HTML via the computer_name parameter to connected_devices_computers_edit.php.

CVE-2014-7170
Published: 2014-12-17
Race condition in Puppet Server 0.2.0 allows local users to obtain sensitive information by accessing it in between package installation or upgrade and the start of the service.

CVE-2014-7285
Published: 2014-12-17
The management console on the Symantec Web Gateway (SWG) appliance before 5.2.2 allows remote authenticated users to execute arbitrary OS commands by injecting command strings into unspecified PHP scripts.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.