Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

9/9/2015
10:30 AM
Sergio Galindo
Sergio Galindo
Commentary
Connect Directly
Facebook
LinkedIn
Google+
RSS
E-Mail vvv
50%
50%

Why Everybody Loves (And Hates) Security

Even security professionals hate security. So why do we all harbor so much dislike for something we need so much? And what can we do about it?

For real estate professionals, the common mantra is location, location, location. For IT professionals today, it’s security, security, security.

Computer users, ranging from barely-computer-literate pensioners to IT professionals, all want more of it. Businesses and individuals spend millions of dollars every year on security products and services such as firewalls, anti-virus, and anti-malware software. In the corporate environment, users look for ways to circumvent company’s security policies. Home users turn off default security features immediately after getting a new device or installing a new OS.  Even security professionals hate security.

So why do we all harbor so much dislike for something we need so much?

This love/hate relationship stems from the very nature of security. It exists on a continuum, with absolute security at one end and absolute convenience at the other. When you have more of one, you have less of the other. Lazy creatures that human beings tend to be, we usually prefer convenience to security – that is, until we become the victims of a security breach. Then suddenly, security is our new best friend – again.

Nobody likes jumping through hoops, and that’s frequently what we have to do for the sake of security. Who has never forgotten a password or PIN, or left a smart card at home? All too frequently, we find ourselves locked out of our own accounts or unable to access the files that we need and are authorized to use.

Let’s face it: security is difficult to get right. Misconfigured firewalls, too-aggressive spam filters or anti-virus programs that conflict with our legitimate software programs can make security seem more like a constant source of frustration than a safety net.

Security also makes for more work, both for administrators and for end-users. The latter have to keep up with dozens of different passwords for different purposes, then just about the time you have them all memorized, the security system tells you it’s time to change your password, again. And it has to be at least 12 characters. And it must be a mix of upper and lower case alpha and numeric characters with at least one symbol. By the time you finally figure out a new password that the system will accept, it’s one that you’ll never remember, so what do you do? Write it down – thus negating the whole point of a secure password.

The antithesis of performance

The problem with security is that many see it as ineffective. For instance, some web sites require that you answer “security questions” but the question choices are all things that someone could easily find out with a little research -- your mother’s maiden name or where you went to elementary school. These will keep out the casual random hacker but not anyone who is specifically targeting you. Why work so hard for something that achieves so little?

A little convenience isn’t the only thing that ends up being sacrificed on the altar of the security gods. Security is also the antithesis of performance. It makes sense that security mechanisms are bound to slow down your systems. Checking ACLs to make sure you have the correct permissions, encrypting and decrypting data, running malware scans on programs and files before opening them – all of these actions take up time and resources.

Security is also a demanding taskmaster. Because hackers and attackers are industrious, always coming up with new and better ways to infiltrate networks and computers, always ferreting out previously unknown vulnerabilities in our operating systems, applications and protocols, we can’t just install a good security system and set it and forget it, as we might do with a home alarm system. Instead, we have to be constantly installing new virus and malware definitions and new patches to fix the flaws in code that the bad guys can exploit.

Adding up the costs

Finally, security is expensive. Chances are, most users will buy at least a few security products – anti-virus programs, perhaps a personal firewall. Business organizations spend millions on security in the form of edge devices, perimeter networks (DMZs) to isolate Internet-facing computers from internal systems, security monitoring systems, smart card readers or biometric scanners, and on-staff IT security personnel and/or security consultants, not to mention security awareness training for employees. It adds up fast.

But today we live in an era where security isn’t an option; it’s a must. As much as we hate security, we love what it does for us. Without it, we would experience frequent system crashes from malware, viruses and various attacks. We would often be unable to access the Internet at all, because of denial-of-service attacks. We would be constantly at risk of having our credit card and bank account information, Social Security numbers and other identifiers stolen and used for identity theft or fraud. We wouldn’t be able to keep our sensitive data such as tax returns, brokerage statements, medical records, or personal journals/diaries on our computers without having them exposed to the world.

As high profile security breaches become more frequent, we can expect more and more security measures to be implemented by organizations in self-defense. What hardware and software vendors need to do is focus on ways to increase security that will be easy to deploy for admins and seamlessly integrated for users. To an extent, this is happening. More software development is following the “secure by design” philosophy and building in security from the ground up. That means fewer third party add-ons have to be installed and configured and maintained.

User education is another key. No matter how well your systems enforce password complexity requirements, they’re meaningless if users reveal those complex passwords to others either by carelessly writing them down or when tricked by social engineers. Making users fully understand the reasons behind the various security measures can go a long way toward getting them to take security more seriously.

Future technologies promise to make security much more palatable to admins and users via advanced biometric authentication techniques, faster processing to ameliorate performance hits, and “polymorphic” security that can change and adapt automatically in much the same way polymorphic malware mutates to avoid detection.

Security might not ever be your best friend, and you don’t have to like it. What you have to do is learn to live with it, because it’s always going to be a part of computing. We need to stop looking for ways around it, stop complaining about it, acknowledge its importance, and get on with business.

Sergio Galindo has more than 20 years of global professional IT experience. Prior to his appointment as General Manager of GFI Software, he served as the company's CIO. He also spent 18 years managing global IT programs for large companies in the financial industry, including ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
TejGandhi1986
50%
50%
TejGandhi1986,
User Rank: Apprentice
10/12/2015 | 3:40:16 PM
Security is holistic
It is an interesting article that is focused to creating an overall culture of security.

Security is an holistic approach apart from user education and awareness and logical controls it also important to consider the physical security and implementation of logical controls that are in place.You can get the best firewalls and IDS but they will not operate unless configured correctly.

All the logical controls are in place but lets consider that the door to your server room remains open and somebody plugs the server off and takes it with him.

So security needs to taken care of from all different directions.

 

Thanks and Regards

Tej Gandhi

https://ca.linkedin.com/pub/tej-gandhi/2b/a88/a10
Whoopty
100%
0%
Whoopty,
User Rank: Ninja
9/10/2015 | 7:16:45 AM
Lowest hanging fruit
As much as I think this is an interesting look at security, I think it glosses over why it's important to implement even basic security (even if it truly does use basic info like mother's maiden name). The reason this is important, is because with targeted attacks, even the best security can be circumnvented, but with more general attacks, all you have to do is run faster (or be more secure) than your friends. 

While that might be an everyone-for-themselves mentality, keeping antivirus up to date, using unique and ever changing passwords will go a long way to keeping people protected day to day. 

It might not stop the most nefarious of hackers, but as long as you're off their radar you should be ok anyway. 
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Active Directory Needs an Update: Here's Why
Raz Rafaeli, CEO and Co-Founder at Secret Double Octopus,  1/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5007
PUBLISHED: 2020-01-17
Directory traversal vulnerability in the agentLogUploader servlet in ZOHO ManageEngine Desktop Central (DC) and Desktop Central Managed Service Providers (MSP) edition before 9 build 90055 allows remote attackers to write to and execute arbitrary files as SYSTEM via a .. (dot dot) in the filename pa...
CVE-2020-5397
PUBLISHED: 2020-01-17
Spring Framework, versions 5.2.x prior to 5.2.3 are vulnerable to CSRF attacks through CORS preflight requests that target Spring MVC (spring-webmvc module) or Spring WebFlux (spring-webflux module) endpoints. Only non-authenticated endpoints are vulnerable because preflight requests should not incl...
CVE-2019-17635
PUBLISHED: 2020-01-17
Eclipse Memory Analyzer version 1.9.1 and earlier is subject to a deserialization vulnerability if an index file of a parsed heap dump is replaced by a malicious version and the heap dump is reopened in Memory Analyzer. The user must chose to reopen an already parsed heap dump with an untrusted inde...
CVE-2019-19339
PUBLISHED: 2020-01-17
It was found that the Red Hat Enterprise Linux 8 kpatch update did not include the complete fix for CVE-2018-12207. A flaw was found in the way Intel CPUs handle inconsistency between, virtual to physical memory address translations in CPU's local cache and system software's Paging structure entries...
CVE-2007-6070
PUBLISHED: 2020-01-17
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2008-1382. Reason: This candidate is a reservation duplicate of CVE-2008-1382. Notes: All CVE users should reference CVE-2008-1382 instead of this candidate. All references and descriptions in this candidate have been removed to prevent ...