Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

10/9/2019
02:00 PM
Lysa Myers
Lysa Myers
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

A Realistic Threat Model for the Masses

For many people, overly restrictive advice about passwords and other security practices is doing more harm than good. Here's why.

I'm one of those people who has made fun of password books for being an example of horrible security practices. But I'm starting to realize that I was wrong. For some people, overly restrictive security advice is doing more harm than good. For those who can't easily navigate more secure solutions, writing a password down and keeping it locked up in your home is far better than reusing passwords.

While threat modeling is something we often ask businesses to do to determine the level of risk posed by certain vulnerabilities, we seldom ask individuals to do the same thing. Instead, we just give everyone the same sort of blanket suggestions, often implying that it's necessary for everyone to protect themselves against state-sponsored attackers.

This can lead to people devaluing threats that realistically could come from within their own homes, such as in the case of domestic abuse, which in this day and age almost invariably includes monitoring the victim, including online. Bottom line: When hurdles are so massive that using computers becomes impossibly difficult, people give up, opting instead to do as little as possible to protect their data and devices.

This is definitely a case where "perfect is the enemy of good."By dissuading people from using more convenient and usable security methods, we're discouraging them from taking any meaningful steps toward a safer Internet experience. Here are a few other examples of things I frequently hear security practitioners warn laypeople against:

Biometrics
Authentication will be a recurring theme here: Usernames and passwords are really not sufficient by themselves anymore, especially because people do such a poor job with them on the whole. We all have dozens (if not hundreds) of accounts that require a login, and it is simply not reasonable to expect people to remember strong, unique passwords for that many accounts.

Many people "solve" this problem by choosing crummy passwords, or reusing one password for every account, both of which are horrible solutions to the problem. Many of us suggest password managers, which can be a great solution for a lot of people. But there's also those security practitioners who pooh-pooh this option because it's "imperfect" to have a single point of failure, or because sometimes password manager products have vulnerabilities, or whatever other frustrating reason.

While biometric authentication can certainly be circumvented, it beats the heck out of using a weak password, reusing a password, or using no password at all.

SMS for 2FA
We've all heard about the various ways that two-factor authentication (2FA) can be broken by a sufficiently determined adversary. That's something for security practitioners to be aware of, so we don't get complacent. But for the average person, a 99% success rate against account takeovers is really quite sufficient. We all need to be using 2FA wherever it's available, in the most secure form we can get. If that form is "just" SMS, it's a whole lot better than just using a username and password alone.

Legacy Security Products
Regardless of what operating system people are on, or what particular type of security product works best for their situation, everyone needs something that helps protect against malicious code. If I had a nickel for every time I heard someone say that "antivirus is dead" because it doesn't detect 100% of new attacks, I'd be having a very fancy lunch right now. I won't even get into the arguments over "next-gen" versus established anti-malware products, or the old trope that "Macs don't get malware," or instances where security products were found to have vulnerabilities.

Charging Cables
The caution against using someone else's charging cables came up again just recently. While I would probably still advise people against charging in any old charging station — particularly ones in public spaces — I wouldn't go so far as to say you should never borrow a charging cable at all. If you trust someone well enough to travel with them, or work with them or something along those lines, you should be OK if you borrow their charging cable.

Frequent Password Updating
"Passwords are like underwear. They should be kept private and changed frequently." I'm delighted to announce that we all need to stop using this underwear analogy. NIST announced two years ago that we need to move away from asking people to periodically change their passwords, or enforcing complexity requirements. While we're at it, can we also stop preventing people from copying and pasting passwords, too? I honestly don't know what threat this is supposed to prevent; in practical application, it only seems to prevent the use of password managers.

I suspect the instinct to tell people why they shouldn't use "imperfect" security practices is, at least in part, to demonstrate how l33t we are. But this practice is making the Internet a much less usable place, and we need to bring that to an end. People should use whatever methods allow them to move the needle toward a safer surfing experience meaningfully, given their own particular threat model.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Can the Girl Scouts Save the Moon from Cyberattack?"

Lysa Myers began her tenure in malware research labs in the weeks before the Melissa virus outbreak in 1999. She has watched both the malware landscape and the security technologies used to prevent threats from growing and changing dramatically. Because keeping up with all ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Ziyon
100%
0%
Ziyon,
User Rank: Apprentice
10/10/2019 | 5:24:02 PM
Any new technology available in the market?
The Lysa Myers' text meets the market need to be shaken to wake up and face a reality that can no longer be ignored. There are new technologies like iPification that claims to be the future today. It's a matter of early adoption, so we can verify if this technology delivers what they say and compare the benefits.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
4 Security Tips as the July 15 Tax-Day Extension Draws Near
Shane Buckley, President & Chief Operating Officer, Gigamon,  7/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...