Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


07:45 AM

Secure Stage

IT has to get certain details right if they expect users to take security seriously

I don't know about you, but when I'm traveling by air I like to feel rather secure in transit. Understand that I'm not just talking about security from attack – I'd like to think that the airplane isn't going to suddenly decide not to obey the laws of aerodynamics, that the ground crew understood the meaning of "fill'er up," and that the collection of parts on the inside of the jet engines will remain on the inside of the jet engines. Little things, I know, but they contribute to my sense of happiness and security when I fly.

Bruce Schneier has written about so-called "security theater," and he makes some wonderful points. There are times I think security theater can be a problem, but those occur when the theater takes over from reality – when time and effort is spent on the appearance of security instead of (rather than in addition to) being spent on steps to make something more truly secure.

There's no question that the theater can have a genuine effect. In law enforcement they speak of the broken-window effect. You know this one: If you let the broken windows in an empty building remain unrepaired the neighborhood tends to suffer a spiral of negative effects.

In security we can see similar patterns. Take my local supermarket as an example: A couple of years ago they installed WiFi access points so vendors could connect their laptops to the Internet during inventory checks. To cut down on vendor questions they made large labels with the AP's IP address, MAC address, and SSID and stuck them to the outside of the access point. They hung one labeled AP over the canned vegetables, and another came to rest high above the facial tissue.

I'm not sure if they ever figured out why college students and their laptop computers suddenly started hanging out next to the Charmin, but it made me wonder about the rest of the store's security apparatus – especially the part that handled my debit card information.

The thing that brought all this to mind was our recent wrestling with temporal displacement. I had my own struggles with Daylight Savings Time, but felt certain that most large corporations had dealt gracefully with the transition. That feeling was shattered when I got on an airplane Wednesday (you know, three days after the time change) and found that the "Time at Destination" display hadn't been updated. If you want to know what else this made me question, loop back to the first paragraph for a refresher.

A display of general competence can go a long way towards making users and customers feel good about the way you're going to handle their information. Security training, reminders of security's importance, and simple steps (like not posting user names and passwords on the bulletin board by the front door) can go a long way towards encouraging more secure behavior on the part of your users and discouraging opportunistic bad behavior. I don't think you need to replace your security team with a theater troupe, but acting the part of a competent, security-conscious IT team can be a significant step towards making it true.

— Curt Franklin is an enthusiastic security geek who used to be one of the Power Rangers (the red one, we think). His checkered past includes stints as a security consultant, an IT staffer at the University of Florida, security editor at Network Computing, chief podcaster for CMP Technology, and various editorial positions at places like InternetWeek, Byte, and Hog Monthly. Special to Dark Reading.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/22/2020
The Problem with Artificial Intelligence in Security
Dr. Leila Powell, Lead Security Data Scientist, Panaseer,  5/26/2020
How an Industry Consortium Can Reinvent Security Solution Testing
Henry Harrison, Co-founder & Chief Technology Officer, Garrison,  5/21/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-05-27
A race condition was found in the mkhomedir tool shipped with the oddjob package in versions before 0.34.5 and 0.34.6 wherein, during the home creation, mkhomedir copies the /etc/skel directory into the newly created home and changes its ownership to the home's user without properly checking the hom...
PUBLISHED: 2020-05-27
JerryScript 2.2.0 allows attackers to cause a denial of service (assertion failure) because a property key query for a Proxy object returns unintended data.
PUBLISHED: 2020-05-27
JerryScript 2.2.0 allows attackers to cause a denial of service (stack consumption) via a proxy operation.
PUBLISHED: 2020-05-26
The boost ASIO wrapper in net/asio.cpp in Pichi before 1.3.0 lacks TLS hostname verification.
PUBLISHED: 2020-05-26
An issue was discovered in ssl.c in Axel before 2.17.8. The TLS implementation lacks hostname verification.