Slashdot Mirror

← Back to Stories (view on slashdot.org)

Humans Continue To Be "Weak Link" In Data Security

Posted by CmdrTaco on from the handcuffs-please dept.

ChiefMonkeyGrinder writes "Nearly 90 percent of IT workers in the UK have said a laptop in their organization has been reported lost or stolen, new research has found. Sixty-one percent said that this then resulted in a data breach, according to the '2010 Human Factor in Laptop Encryption Study: United Kingdom,' a report produced by the Ponemon Institute for Absolute Software."

17 of 117 comments (clear)

  1. Security Failings by Y2KDragon · · Score: 5, Insightful

    Strong password requirements are a big part of the problem. We can teach people how to make more complicated passwords. But the draconian policies set by some sites makes it almost impossible to maintain any degree of security. Make the password requirement difficult enough, and people HAVE to write it down and keep it in an insecure location just to make it usable.

    1. Re:Security Failings by Sycraft-fu · · Score: 4, Insightful

      Not only making it too hard, but making changes too frequent. If someone has to change their password once a month, they will have trouble remembering it. They'll make it as simple as the security will allow and write it down (maybe multiple places).

      What it comes down to is if you feel the data you are protecting is important enough that it needs to have a complex password and such, what it really needs is two factor security. Something like a SecureID token or whatever. That makes it near impossible to break in as you have to get the password AND the token and you have to make use of it before the token's absence is noted.

      Being a jerk about password policy is no replacement for a better security system over all, and in fact can make your stuff less secure than you think. You are ultimately dealing with people and as such you can't expect them to be perfect with their memories. You need to adapt your security to them, not demand they adapt.

      You also have to simply accept that there's no such thing as perfect security. You can't have a system that can't be broken no matter what. Thus you need to make it as good as you can, have defense in depth (multiple security layers such that if one is breached not everything is bypassed), and remain vigilant.

    2. Re:Security Failings by L4t3r4lu5 · · Score: 5, Insightful

      Make it long, make it simple.

      Passphrases are the way forward. Ih4t3MSoft may well satisfy Microsoft's Secure Password policy of 7 characters, one upper, one lower case, one non-alphabetical. However, it's nowhere near as secure (from a brute-force perspective) as ihaterubbishmicrosoftsoftware.

      N.B. Not Anti-MS trolling, just picking phrases as they come to mind.

      --
      Finally had enough. Come see us over at https://soylentnews.org/
    3. Re:Security Failings by Aceticon · · Score: 5, Insightful

      Draconian IT Security policies that end up achieving the opposite effect are caused by the same underlying problems as the theatrical Security that's currently done in most airports:

      • If a Well-Balanced Security policy is in place and Something Bad happens, they blame the Security guys. If a Draconian Security policy is in place and Something Bad happens they can blame the person that "went around the security" (i.e. wrote a password in a piece of paper)
      • When a new widget/software is proclaimed as the next silver bullet, if Security gets it and Something Bad happens, they're the ones blames, if they do get it, then they can blame the widget/software
      • The guy that prevented thousands of Bad Somethings never got promoted to management, since Nothing Happened. They guys that get promotions are the ones that make an Heroic Recover when Something Bad happens
      • Billions of man-hours wasted can easilly be ignored when spread over many people as many small hassles.

      The blame here is in Management - rewards and punishement are distributed on the basis of easilly observable artifacts of The Work instead of looking at the hard to define and hard to measure Results.

      This problem is very common in all kinds of professions and in most countries ...

    4. Re:Security Failings by vlm · · Score: 4, Insightful

      Not only making it too hard, but making changes too frequent.

      You always know you're dealing with someone incompetent when that's a requirement.

      You need to change your pass code on door locks because the used digits begin to look physically different than the unused digits.

      You need to change ENCRYPTION KEYS occasionally to avoid known plaintext attacks, some MITM issues, and some other esoteric stuff.

      Encryption keys and door passcodes are kind of security related, and login passwords are security related, therefore they must be the same (if you're stupid) so you must change your login password on a regular basis.

      Some people confuse two of the A's in AAA. Login passwords are for "authorization". "Accounting" is where you catch multiple people using the same login, not "authorization".

      Finally there's the idiots that think good security must be inconvenient, therefore ANYTHING inconvenient must inherently be secure.

      The only reason you have to change your password on a regular basis is basically, stupid people quoting other stupid people saying its important because they heard other stupid people saying it, aka an urban legend. Nothing more.

      Oddly enough the same morons whom claim changing passwords increases security, also believe biometrics are more secure because you can't change your fingerprint... or can you?

      --
      "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
    5. Re:Security Failings by Spad · · Score: 2, Insightful

      Making password resets that common is bad security practice in itself unless you have a good process in place for verifying the identity of the user requesting the reset. Far too many helpdesks will happily reset "your" password for you without even cursory checks as to who you are.

  2. Encryption and you by Kaldesh · · Score: 5, Insightful

    I really fail to see why so many of these companies fail to use common sense. The first thing we do as an IT staff in my organization with laptops is encrypt them. Use something like Truecrypt, enable full drive encryption and set a good password. Laptop gets stolen? You're out the cost of the physical hardware that was taken from you... but the data that was on the machine? You can rest easy that you took every precaution you could to keep it safe. Of course, I work in the health care field so, any laptops, tablets, netbooks etc that have any ePHI (Electronic Protected Health Information), have to be secured. We just take our security practices a step further and do it to all of them. Which is worse? Having your users gripe a bit about an extra password? Or having data stolen? It's saved us once already as a laptop was stolen last year on a business trip.

  3. Humans may be the weak link, but... by bsDaemon · · Score: 1, Insightful

    Humans may be the weak link in information security, but the information is only useful to humans so its not as if we can remove ourselves from the system. Well, we could, and then go back to invisible inks, hand ciphers and cars that actually stop, but these days people probably wouldn't want to do that.

    1. Re:Humans may be the weak link, but... by Akido37 · · Score: 2, Insightful

      Humans may be the weak link in information security, but the information is only useful to humans so its not as if we can remove ourselves from the system. Well, we could, and then go back to invisible inks, hand ciphers and cars that actually stop, but these days people probably wouldn't want to do that.

      I'm glad we've moved past the Stone Age with their silly ideas about "braking systems". Things are so much better now without them.


      :-)

  4. Huh? by Anonymous Coward · · Score: 1, Insightful

    This is news?

  5. One word: by L4t3r4lu5 · · Score: 2, Insightful

    Wargames.

    --
    Finally had enough. Come see us over at https://soylentnews.org/
  6. Encryption isn't everything by Sycraft-fu · · Score: 3, Insightful

    I'm not saying there aren't plenty of places that encryption is useful security, but I see it far oversold as a panacea. That something is encrypted doesn't mean it is secure. A great example of that would be copy protected games or movies. They use encryption to secure their data. Often it is quite good encryption. AACS uses 128-bit AES crypto, doesn't get much stronger or more tested than that. Yet, it is all for naught. Games are cracked, Blu-Rays are copied and so on. Why? Well because the decryption key is on the disc somewhere. Obfuscate all you like, if they key is there you are screwed.

    Same deal with encryption is terms of security for your data. Encryption is useful for data in transit over insecure channels, the Internet being the main one. So long as only your computer and the remote computer have the key, there'll be no snooping on what is going on. Encryption is also useful against physical theft in the case of a laptop or something. If they grab the computer but can't get the password (and the computer isn't logged in or the like) then they can't get the data.

    However encryption isn't useful a whole lot outside of that. For example encrypting data on your desktop won't do much against a remote attack. You have to get in to said data and so when you decrypt it, the key and/or data can be captured. You'd be just as well off with unencrypted data overall. Likewise encryption does little to nothing against a social engineering type of attack.

    So I'm not saying "Don't use encryption," just that you should think about when to use it, if it is doing any good. Don't sell encryption as something you need to always do, because it isn't useful and can lead to a false sense of security.

  7. Why allow imporant data on laptops at all? by swb · · Score: 2, Insightful

    ...without strong countermeasures to prevent the data from being exploited?

    I guess I don't understand why, if some chunk of data is critically important, that the organization would allow it to be dragged out of the office on a laptop. The data should be required to stay in the office with access from outside the office only on a business-critical basis and with strong security requirements (ie, VPN-only accessable terminal server, all using RSA tokens).

    And if it MUST go out of the office on a laptop, why aren't very strong encryption measures being taken into consideration, including whole-disk encryption with failed-access data wiping?

    I see so many people with laptops who don't really need portability. Most of the time they have a laptop because it's a token of their importance to the organization or some kind of freebie (they have a desktop, too, but the laptop is so they can "work from home" but is really just a free home computer).

    The other thing weird about this is that 61% of the lost laptops resulted in a security breach! Most of the people I've dealt with who had laptops were by and large wankers with company data of interest to almost no one; at worst you might be able to reverse a cached password or raid the browser passwords for something trivial.

    And who is stealing laptops? In the US, a lot of that theft is just petty theft for quick cash -- drug addicts, gang members, losers looking for something they can pawn or turn on the street for $200. It's really not info security experts.

    1. Re:Why allow imporant data on laptops at all? by CohibaVancouver · · Score: 2, Insightful

      And who is stealing laptops? In the US, a lot of that theft is just petty theft for quick cash -- drug addicts, gang members, losers looking for something they can pawn or turn on the street for $200. It's really not info security experts.

      True, but the problem is you need to treat every theft like a security breach - So while an encrypted laptop with a SecurID token in the laptop bag was probably stolen by a junkie, you just don't know whether or not the final 'owner' is noodling through the data.

  8. The reason why security is hard... by TejWC · · Score: 2, Insightful

    ... is because computers do exactly what they are told to do.

  9. FULL DISCLOSURE - Absolute Software by Anonymous Coward · · Score: 1, Insightful

    Absolute Software - The absolute best way to track, manage and protect your digital world.
    Tracking software to aid recovery of lost or stolen computers. Also software for hardware/software inventory and software license management.

    There's a reason why Absolute Software is talking this up...

    Just sayin'

  10. Uhm. DUH!?!?!? by Chas · · Score: 2, Insightful

    You can have your shit locked down 6 billion ways to Sunday.
    The minute you introduce the human element into it, you have a massive security hole that can be patched, but NEVER closed.
    You can train and train and train. Ennui sets in and their brains shut off after a while.
    You can have the most draconian policies regarding proper usage. People will still circumvent it, accidentally or deliberately.
    You can fire people. It just creates ill will and the damage is already done.
    And, if it happens to be the owner of the company doing the circumvention there's jack and shit you can do about it.

    I'm sorry, but anyone who tells you that security is about "keeping the bad guys out" is SELLING YOU SOMETHING (see: "How much for my large and stinky pile of crap?"). Nothing more.
    Security is about putting enough roadblocks in place that attackers begin looking for easier targets so they can maximize their returns on time invested.
    If someone wants into your systems bad enough, THEY WILL GET IN. Period.
    The job of security is to make this interval as long as possible so they can maximize the chances of catching them before they get in or forcing them into something spectacular and HIGHLY traceable.

    --


    Chas - The one, the only.
    THANK GOD!!!