Operations // Identity & Access Management
1/29/2014
09:08 AM
Bob Covello
Bob Covello
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail
100%
0%

The Scariest End-User Security Question: What Changed?

Hitting employees over the head with fear, uncertainty, and doubt does little to help protect them from security threats. Is multi-factor authentication "by force" a better approach?

The other day, I was chatting with a friend who did not understand why she was all of a sudden having a problem connecting remotely to her office computer. I asked her what security product she had on her home machine, and she named one of the free products on the market. Of course, this caused me to shudder, as I thought everyone knew the phrase, "You get what you pay for."  

The conversation did not end there, however. My friend went on to say that she has been using the same laptop with the same settings for nine months "and it has been working fine." She then asked one the scariest questions that anyone could ask a security professional: "What changed?"

My mind raced through all of the answers that I wanted to tell her:

  • Nine months ago, Target was doing a happy retail business with no thought of a 110 million customer account breach. 
  • Nine months ago, Adobe was merely providing some software to 150 million users. 
  • Nine months ago, Ed Snowden was just a simple sub-contractor working for a government agency. 

While all this was swimming in my head, I realized that hitting the end-user over the head with everything that has gone wrong would probably do little to make her understand why her remote access had mysteriously changed. Explaining that the entire threat landscape has changed would be equally useless. The question that I really needed to answer was why security professionals (myself included) aren't connecting better with our audience to make them more sensitive about how to protect themselves?

One approach to security that has long been used in the law enforcement community is the use of fear -- a tactic that is only marginally effective when it comes to computer security. There is a vast difference between explaining the dangers of a loaded weapon in the hands of a teenager, and the dangers of an unsecured computer. People simply don’t put the same stock in computer security as they do in physical security. 

Another approach to security education is the use of uncertainty. As security practitioners, we have known for years that you can never build a 100% secure system. So, how do we reconcile that concept and still question users about their certainty about computer security? 

A very popular approach to security education is that of doubt. However, using doubt as an educational tool only makes us look like a bunch of arrogant know-it-alls. So, the three most ineffective methods available are Fear, Uncertainty, and Doubt, or FUD, as they are affectionately known in the security community.

The new normal: multi-factor by force?
The real problem is finding a way to make the end-user -- co-workers, friends, or family -- more active in their own security posture. Humor is one possibility though, while a witty approach (think John Stewart or Stephen Colbert) may be effective on TV or in comedy clubs, a funny joke or humorous anecdote won’t necessarily deliver a teachable moment that crosses cultures and is universally understood.

A new method of engaging users is "gamification," where security experts offer security education as a game to be played, complete with small rewards for correct responses. This can be fun and engaging in the short-term, but like most games, most people walk away from the gaming table and go back to their normal lives, forgetting the lessons of the game.

Right now, if a credit card is compromised, the user is not liable for any fraudulent charges. This is a good policy, as many of the credit card breaches are no fault of the user. But what about security breaches where the user is partially responsible? I’m thinking specifically of the common practice of using weak passwords on websites, which is a major attack vector for identity theft. Perhaps this can be the first step towards a more security-conscious society.

More aggressively, we are starting to see movement towards mandatory multi-factor authentication, as evidenced by the fingerprint reader on the latest iPhone.  (Thanks, Apple, for making multi-factor cool.) Some banking sites have implemented mandatory multi-factor login as well. An industry-wide use of "multi-factor by force" is exactly what is needed. I say this not to simply shift our users’ mindset, but to make it part of a new normal Internet behavior. 

If we can make multi-factor a part of the new security landscape rather than using FUD as part of the threat landscape, maybe that small, but necessary shift, will make users more receptive to changes that will protect them. As time progresses, this new user-awareness could have a wonderfully cascading effect of making people stop and think before clicking a malicious link or using a free security product. 

Or am I being too optimistic? 

Bob Covello is a 20-year technology veteran who is passionate about security-related topics.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/29/2014 | 9:58:08 AM
Too optimistic about multi-factor authentication 'by force'
I'll bite. Yes, Bob. I think you are being too optimistic. True, I've been hearing a lot lately about the death of passwords and the rise of multi-factor authentication. But that technology has been around for a long time. What's different now? 
<<   <   Page 2 / 2
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-4403
Published: 2015-04-24
Multiple cross-site request forgery (CSRF) vulnerabilities in Zen Cart 1.3.9h allow remote attackers to hijack the authentication of administrators for requests that (1) delete a product via a delete_product_confirm action to product.php or (2) disable a product via a setflag action to categories.ph...

CVE-2012-2930
Published: 2015-04-24
Multiple cross-site request forgery (CSRF) vulnerabilities in TinyWebGallery (TWG) before 1.8.8 allow remote attackers to hijack the authentication of administrators for requests that (1) add a user via an adduser action to admin/index.php or (2) conduct static PHP code injection attacks in .htusers...

CVE-2012-2932
Published: 2015-04-24
Multiple cross-site scripting (XSS) vulnerabilities in TinyWebGallery (TWG) before 1.8.8 allow remote attackers to inject arbitrary web script or HTML via the (1) selitems[] parameter in a copy, (2) chmod, or (3) arch action to admin/index.php or (4) searchitem parameter in a search action to admin/...

CVE-2012-5451
Published: 2015-04-24
Multiple stack-based buffer overflows in HttpUtils.dll in TVMOBiLi before 2.1.0.3974 allow remote attackers to cause a denial of service (tvMobiliService service crash) via a long string in a (1) GET or (2) HEAD request to TCP port 30888.

CVE-2015-0297
Published: 2015-04-24
Red Hat JBoss Operations Network 3.3.1 does not properly restrict access to certain APIs, which allows remote attackers to execute arbitrary Java methos via the (1) ServerInvokerServlet or (2) SchedulerService or (3) cause a denial of service (disk consumption) via the ContentManager.

Dark Reading Radio
Archived Dark Reading Radio
Join security and risk expert John Pironti and Dark Reading Editor-in-Chief Tim Wilson for a live online discussion of the sea-changing shift in security strategy and the many ways it is affecting IT and business.