Slashdot Mirror
Humans Continue To Be "Weak Link" In Data Security
ChiefMonkeyGrinder writes "Nearly 90 percent of IT workers in the UK have said a laptop in their organization has been reported lost or stolen, new research has found. Sixty-one percent said that this then resulted in a data breach, according to the '2010 Human Factor in Laptop Encryption Study: United Kingdom,' a report produced by the Ponemon Institute for Absolute Software."
I guess for security, forgetting is best. :P
If only there was a way to remove humans from the equation ... can you say Skynet?
I noticed that browsers have a neat habit of storing userames that you've used on various sites, and help pre-fill the username field with that information.
It would be much more helpful if those usernames didn't bleed across servers; it would really cut down on potential exploits, and helps me remember which one of my usernames for a given site is correct (especially before I crack open the encrypted volume to lookup the real username/password combo.)
Strong password requirements are a big part of the problem. We can teach people how to make more complicated passwords. But the draconian policies set by some sites makes it almost impossible to maintain any degree of security. Make the password requirement difficult enough, and people HAVE to write it down and keep it in an insecure location just to make it usable.
Bosses are human too. If you're giving data to the untrustworthy, that's YOUR failure as a manager in data security.
If you're giving data to people who have been shown no loyalty, yet you expect loyalty from them, that is YOUR failure as a manager in data security.
If you're demanding results and won't take "that is not safe" as an answer (cf the passwords of a US city network), that is YOUR failure as a manager in data security.
The weakest link in the chain is usually the one with least to trouble themselves with the problems and the greatest power to demand.
The Boss.
I'm tired of seeing articles which talk about IT "professionals" who don't even know how to use encryption.
It's not hard, it's more a matter of people not wanting to have any security because then they don't have to hire actual professionals who might cost a bit more.
Nine out of Ten lost or stolen in the UK? I have to wonder if seeing abandoned laptops laying around is commonplace there. I don't think I have ever seen a "lost" computer just waiting for me to pick it up. There must be something about the culture that only 10% of the population can keep track of their gadgets. I am reminded of people you see on the beach with metal detectors trying to find lost and dropped jewelery and coins. I may have to make a trip to the UK and ride trains looking for discarded hardware.
There are two kinds of fool. One says, This is old, and therefore good. And one says, This is new, and therefore better.
Any procedure, any system, any protocol, anything fails 9 out of 10 times due to human error. Why we let these insecure parts remain a critical part in anything is beyond me.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Like what? The code for the project I'm working on? Or are you suggesting I encrypt my entire production database that I can access over a VPN from my notebook?
If you have shit on your laptop that needs encryption, you aren't a professional.
the Ponemon Institute
Laptops: gotta steal 'em all.
I really fail to see why so many of these companies fail to use common sense. The first thing we do as an IT staff in my organization with laptops is encrypt them. Use something like Truecrypt, enable full drive encryption and set a good password. Laptop gets stolen? You're out the cost of the physical hardware that was taken from you... but the data that was on the machine? You can rest easy that you took every precaution you could to keep it safe. Of course, I work in the health care field so, any laptops, tablets, netbooks etc that have any ePHI (Electronic Protected Health Information), have to be secured. We just take our security practices a step further and do it to all of them. Which is worse? Having your users gripe a bit about an extra password? Or having data stolen? It's saved us once already as a laptop was stolen last year on a business trip.
Humans may be the weak link in information security, but the information is only useful to humans so its not as if we can remove ourselves from the system. Well, we could, and then go back to invisible inks, hand ciphers and cars that actually stop, but these days people probably wouldn't want to do that.
You keep your password on a private document in your pocket, you can use a stronger password, and it's a lot harder to lose both your laptop and your password.
If you do lose one, it's easy to take steps to blacklist the other. You can even use some trivial obfuscation in recording the password so that even if someone gets it, they won't be able to figure out your password.
Example:
awfuieri3v
4u9388535v
v9tv379vn7
mc20884v05
That's just gibberish, but I could easily write that matrix down on a piece of paper, and then pick a path to take through it(it doesn't even have to be a complicated one, for example I could just use columns 2, 4, and 6) and there's not really much chance that someone's going to find my password. Of course there are even better examples where it's not even obvious that you're looking at a password matrix.
IT workers != IT professionals. The marketing directors admin does IT work for him, she is not a professional IT technician. Laptops AFAIK are not given out to those that deserve them so much as those who can't be required to sit in an office all day. Think about this for a minute. Are the tech savvy people in the office or on the road?
Support NYCountryLawyer RIAA vs People
Security on your laptop is a human error. This means due to clumsiness, is a laptop could talk and say someone stole it. -Turning Winds
This is news?
Can't agree more. Encryption is such a basic and fundamental requirement that if you're security team isn't working on a way to encrypt your data now, they should have it already done.
A question that should be asked more though that it currently is, is why do you need this data on easily stolen device. For example, why do customer records need to be on a laptop, why is this confidential document on a USB stick?
In my work place, no one can transfer anything off our internal network via data transfer. USB sticks will not be detected by machines. There are no open ethernet cables so if you try to connect a laptop to the cable running into your machine, it wont work. If anyone wants anything taken from the network, they need to raise a request and then if its granted, they will get the data encrypted and placed on a USB stick or laptop of their choice. We have a record of where things were taken from, when they were, requested by whom, authorised by whom. Users may find it slightly inconvenient but our data is secure, controlled and even in the event on a lost laptop or USB stick, we know that its encrypted to a high standard
There is no -1 disagree
You ARE the weakest link. Goodbye.
I really enjoyed that episode of Doctor Who. Now I'm a little scared.
Wargames.
Finally had enough. Come see us over at https://soylentnews.org/
Any procedure, any system, any protocol, anything fails 9 out of 10 times due to human error. Why we let these insecure parts remain a critical part in anything is beyond me.
JohnnyCab!
Set your phasers on "funky"!
In other news, carbon based lifeforms require nutritional sustenance.
Come on people! Enough of these filler stories!
I'm not saying there aren't plenty of places that encryption is useful security, but I see it far oversold as a panacea. That something is encrypted doesn't mean it is secure. A great example of that would be copy protected games or movies. They use encryption to secure their data. Often it is quite good encryption. AACS uses 128-bit AES crypto, doesn't get much stronger or more tested than that. Yet, it is all for naught. Games are cracked, Blu-Rays are copied and so on. Why? Well because the decryption key is on the disc somewhere. Obfuscate all you like, if they key is there you are screwed.
Same deal with encryption is terms of security for your data. Encryption is useful for data in transit over insecure channels, the Internet being the main one. So long as only your computer and the remote computer have the key, there'll be no snooping on what is going on. Encryption is also useful against physical theft in the case of a laptop or something. If they grab the computer but can't get the password (and the computer isn't logged in or the like) then they can't get the data.
However encryption isn't useful a whole lot outside of that. For example encrypting data on your desktop won't do much against a remote attack. You have to get in to said data and so when you decrypt it, the key and/or data can be captured. You'd be just as well off with unencrypted data overall. Likewise encryption does little to nothing against a social engineering type of attack.
So I'm not saying "Don't use encryption," just that you should think about when to use it, if it is doing any good. Don't sell encryption as something you need to always do, because it isn't useful and can lead to a false sense of security.
Skynet
Okay seriously I've just run out of pointless things to say.
> If you have shit on your laptop that needs encryption, you aren't a professional.
Yeah, you might instead be one of those Human Rights workers or similar, in one of those repressive countries.
Then you would need encryption to keep other people alive in case they decide to pick on you.
The rest of the world probably doesn't realize that information espionage mostly depends on users failing to think while performing routine actions (which is normal for anyone performing routine actions that are abstractions) and so accidentally infecting their computers or getting phished.
This is not obvious the same way as a study finding that morbidly obese people eat more and move less. I think that the tag is condescending and closed minded in this instance.
Its funny when you go to the trouble of encrypting a laptop and then see they have their user name and password taped to bottom. Its also funny when the encryption software bricks the laptop. I'm looking at you McAfee.
"I'm not a quack, I'm a mad scientist! There's a difference." - Dr. Cockroach
Reported to whom? Internally or externally?
If this is meant to be a statement that only 90 percent of companies have lost a laptop then the other 1 percent are lying. Loss is one thing, reporting is quite another matter.
...without strong countermeasures to prevent the data from being exploited?
I guess I don't understand why, if some chunk of data is critically important, that the organization would allow it to be dragged out of the office on a laptop. The data should be required to stay in the office with access from outside the office only on a business-critical basis and with strong security requirements (ie, VPN-only accessable terminal server, all using RSA tokens).
And if it MUST go out of the office on a laptop, why aren't very strong encryption measures being taken into consideration, including whole-disk encryption with failed-access data wiping?
I see so many people with laptops who don't really need portability. Most of the time they have a laptop because it's a token of their importance to the organization or some kind of freebie (they have a desktop, too, but the laptop is so they can "work from home" but is really just a free home computer).
The other thing weird about this is that 61% of the lost laptops resulted in a security breach! Most of the people I've dealt with who had laptops were by and large wankers with company data of interest to almost no one; at worst you might be able to reverse a cached password or raid the browser passwords for something trivial.
And who is stealing laptops? In the US, a lot of that theft is just petty theft for quick cash -- drug addicts, gang members, losers looking for something they can pawn or turn on the street for $200. It's really not info security experts.
people just neglect the fact to show proper care for something unless they spent their hard-earned money on it... just in the human's nature - one thing we do at my job we use a service called MaaS360 by Fiberlink.
pretty sick console with a ton of security features and reporting functions... the best thing about this tool is that we can see people outside of the VPN even if they are connecting through a wi-fi hotspot or home router - we have full visibility and can pull reports and manage applications and data as well through this console.
... is because computers do exactly what they are told to do.
Absolute Software - The absolute best way to track, manage and protect your digital world.
Tracking software to aid recovery of lost or stolen computers. Also software for hardware/software inventory and software license management.
There's a reason why Absolute Software is talking this up...
Just sayin'
Encryption is such a basic and fundamental requirement that if you're security team isn't working on a way to encrypt your data now, they should have it already done.
You're missing the point of the article - It's saying that encryption isn't a panacea because of the human factor - People write down passwords, put their tokens in their laptop bags etc.
If you know nothing about the password at all, yes it can be more secure. However, if you know it is a passphrase, then you can work on it as such. Rather than brute forcing using character combinations, you use work combinations. Maybe your program also has grammar rules in it so it can make more intelligent choices in words. Of course against that you can start doing letter substitution but then you start having complexity problems again and so on. Also there's the problem of someone finding out your password, if it is very complex even if they see it they may not be able to remember it, but a phrase may be no problem. Etc.
What it comes down to is there's only so secure a password can be. How secure largely depends on the individual. Some people can handle long, complex, passwords. Others need things real simple.
Hence why, as I noted in another post, if the data you are securing is really so important, get two factor security. You can't force humans to be good with passwords so don't try. Use passwords as a part of a better security solution.
The professional only needs to ask two questions ....
1st question: why have you got sensitive data on your laptop ?
2nd question: if you have (or might have) sensitive data on your laptop, why is not encrypted?
In my experience the people who "have to" have sensitive data on their laptops generally don't have to ...
and the people who have sensitive data on their laptops always come up with poor reasons why they don't want encryption ...
Puteulanus fenestra mortis
You can have your shit locked down 6 billion ways to Sunday.
The minute you introduce the human element into it, you have a massive security hole that can be patched, but NEVER closed.
You can train and train and train. Ennui sets in and their brains shut off after a while.
You can have the most draconian policies regarding proper usage. People will still circumvent it, accidentally or deliberately.
You can fire people. It just creates ill will and the damage is already done.
And, if it happens to be the owner of the company doing the circumvention there's jack and shit you can do about it.
I'm sorry, but anyone who tells you that security is about "keeping the bad guys out" is SELLING YOU SOMETHING (see: "How much for my large and stinky pile of crap?"). Nothing more.
Security is about putting enough roadblocks in place that attackers begin looking for easier targets so they can maximize their returns on time invested.
If someone wants into your systems bad enough, THEY WILL GET IN. Period.
The job of security is to make this interval as long as possible so they can maximize the chances of catching them before they get in or forcing them into something spectacular and HIGHLY traceable.
Chas - The one, the only.
THANK GOD!!!
You had me at 'at all'.
Why allow important data on laptops at all? Why not simply require that sensitive data only be accessed remotely? You can solve this problem with VNC. There are a very few situations where it is impossible to get internet access sufficient to use a computer remotely. In these few situations, a whole-disk-encrypted system can be used, which won't solve every problem (as this article indicates) but will at least narrow things down considerably. But in most cases, there's no actual need for the data to be on the laptop at all.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Read "The Art of Deception" by Kevin Mitnick. In this book he explains and provides examples of the human factor of security, and how we are indeed the weakest link.
We get people responding to this kind of phishing message all the time, to a helpdesk@yahoo.com.hk address
We haven't had quotas in like 6 years.
---
The Helpdesk Program that periodically checks the size of your e-mail space is
sending you this information. The program runs weekly to ensure your
inbox does not grow too large, thus preventing you from receiving or sending new e-mail.
As this message is being sent, you have 18 megabytes (MB) or more stored in
your inbox. To help us reset your space in our database, please enter your
current user name () password
()
You will receive a periodic alert if your inbox size is between 18 and 20 MB.
If your inbox size is 20 MB, a program on your Webmail will move your
oldest e-mails to a folder in your home directory to ensure you can continue receiving
incoming e-mail. You will be notified if this has taken place.
If your inbox grows to 25 MB, you will be unable to receive new e-mail and it
will be returned to sender. All this is programmed to ensure your e-mail
continues to function well.
Thank you for your cooperation.
Help Desk
This message was sent using IMP, the Internet Messaging Program.
A stolen laptop should not threaten internal security. The tools to encipher crucial informations are free (as in $0)
The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
"Bob, I need financial data for all clients bought the WidgetMaster 9000, ASAP!"
"Sure, boss. I couldn't attach it to email for some reason, so I posted it on superfileshare.com."
If you open yourself to the foo, You and foo become one.
Seriously... humans are the weak link... don't tell me it's so!
Wetware error.
LUSER factor.
Oh, damn.
No OS on the planet can protect itself from a user with the admin password. - Yvan256
True, whatever encryption you have set up, it can only be as strong as a user who is working with it. If they're stupid enough to leave their passwords or tokens with PIN's in the bag, of course your going to have problems. But an aggressive education plan coupled with a "lest the clenched fist of retribution come down upon you" attitude, you can save yourself a lot of issues. But the above comment was more directed about organisations that don't use encryption at all. I don't know how many times recently I've heard of major entities who should know better losing a laptop with data stored in cleartext. If you're not encrypting things, it doesn't matter how many educational classes you host, people will still lose laptops, USB sticks.
There is no -1 disagree
The British Defense Ministry has reported 205 laptops missing since 1997 -- most of which contained classified information. That's an average of 51 lost laptops per year. The latest was reported missing on Monday. This one reportedly contained data about new weapons systems. Its owner left it in the back of a taxi. To combat this spate of missing-in-action machines, the Defense Ministry plans to outfit their absent-minded workers with secret-agent-style briefcases that protect national secrets by automatically destroying the contents of lost laptops' hard drives. Thieves have been blamed for some of the laptop losses, but the majority of the missing machines were simply mislaid by tipsy or distracted agents. Read More http://www.wired.com/politics/law/news/2001/04/43088#ixzz0iGiAjJpW
I went to Ponemon's home page, but was unable to find the study referenced by the article. Just two questions, though:
What information do we have on the relative sizes of the companies represented by this study? The company I work for (a multinational, but I'm in the US) has close to half a million employees worldwide, more than fifty thousand of whom are in the US. How many people do you poll from my company before "yes, a laptop has been stolen from my organization" ceases to be an interesting question? I looked at a related study Ponemon performed (link to PDF here) and found that in that study, there were a total of 29 organizations sampled.
Second, what constitutes a data breach? Someone accessing a system with protected information? Someone accessing a system with protected information, and actually being able to get to the protected information?
There's just no "there" in this summary.
(By the way - that study I linked to is interesting in its own right. According to Ponemon, respondents who cited a case of laptop theft in which there was a full backup available of the lost system consistently reported the cost of the lost system as higher - perhaps, as Ponemon speculates, because they could determine exactly what was on it when it disappeared. That kind of weird, counter-intuitive relationship is the type of thing that makes me wonder exactly how useful this type of research is.)
I say we pull the humans out of the loop.
1) There's no perfect security.
2) People *rarely* lose their wallets, because they know they've got important stuff in them, so they know to keep them safe. Adding a slip of paper with a password to the wallet means that it will benefit from the same relative care.
3) People generally know that if they lose a wallet with ID, bank cards, etc., that they should immediately report the loss of the bank cards, get replacement ID, etc. By association, it would make sense to change a password promptly, or to inform a system administrator it's been compromised and needs to be reset -- someone who's lost a wallet would be likely to do this in the same session at the desk when they're calling the bank, etc.