Slashdot Mirror


Humans Continue To Be "Weak Link" In Data Security

ChiefMonkeyGrinder writes "Nearly 90 percent of IT workers in the UK have said a laptop in their organization has been reported lost or stolen, new research has found. Sixty-one percent said that this then resulted in a data breach, according to the '2010 Human Factor in Laptop Encryption Study: United Kingdom,' a report produced by the Ponemon Institute for Absolute Software."

6 of 117 comments (clear)

  1. Security Failings by Y2KDragon · · Score: 5, Insightful

    Strong password requirements are a big part of the problem. We can teach people how to make more complicated passwords. But the draconian policies set by some sites makes it almost impossible to maintain any degree of security. Make the password requirement difficult enough, and people HAVE to write it down and keep it in an insecure location just to make it usable.

    1. Re:Security Failings by Sycraft-fu · · Score: 4, Insightful

      Not only making it too hard, but making changes too frequent. If someone has to change their password once a month, they will have trouble remembering it. They'll make it as simple as the security will allow and write it down (maybe multiple places).

      What it comes down to is if you feel the data you are protecting is important enough that it needs to have a complex password and such, what it really needs is two factor security. Something like a SecureID token or whatever. That makes it near impossible to break in as you have to get the password AND the token and you have to make use of it before the token's absence is noted.

      Being a jerk about password policy is no replacement for a better security system over all, and in fact can make your stuff less secure than you think. You are ultimately dealing with people and as such you can't expect them to be perfect with their memories. You need to adapt your security to them, not demand they adapt.

      You also have to simply accept that there's no such thing as perfect security. You can't have a system that can't be broken no matter what. Thus you need to make it as good as you can, have defense in depth (multiple security layers such that if one is breached not everything is bypassed), and remain vigilant.

    2. Re:Security Failings by L4t3r4lu5 · · Score: 5, Insightful

      Make it long, make it simple.

      Passphrases are the way forward. Ih4t3MSoft may well satisfy Microsoft's Secure Password policy of 7 characters, one upper, one lower case, one non-alphabetical. However, it's nowhere near as secure (from a brute-force perspective) as ihaterubbishmicrosoftsoftware.

      N.B. Not Anti-MS trolling, just picking phrases as they come to mind.

      --
      Finally had enough. Come see us over at https://soylentnews.org/
    3. Re:Security Failings by Aceticon · · Score: 5, Insightful

      Draconian IT Security policies that end up achieving the opposite effect are caused by the same underlying problems as the theatrical Security that's currently done in most airports:

      • If a Well-Balanced Security policy is in place and Something Bad happens, they blame the Security guys. If a Draconian Security policy is in place and Something Bad happens they can blame the person that "went around the security" (i.e. wrote a password in a piece of paper)
      • When a new widget/software is proclaimed as the next silver bullet, if Security gets it and Something Bad happens, they're the ones blames, if they do get it, then they can blame the widget/software
      • The guy that prevented thousands of Bad Somethings never got promoted to management, since Nothing Happened. They guys that get promotions are the ones that make an Heroic Recover when Something Bad happens
      • Billions of man-hours wasted can easilly be ignored when spread over many people as many small hassles.

      The blame here is in Management - rewards and punishement are distributed on the basis of easilly observable artifacts of The Work instead of looking at the hard to define and hard to measure Results.

      This problem is very common in all kinds of professions and in most countries ...

    4. Re:Security Failings by vlm · · Score: 4, Insightful

      Not only making it too hard, but making changes too frequent.

      You always know you're dealing with someone incompetent when that's a requirement.

      You need to change your pass code on door locks because the used digits begin to look physically different than the unused digits.

      You need to change ENCRYPTION KEYS occasionally to avoid known plaintext attacks, some MITM issues, and some other esoteric stuff.

      Encryption keys and door passcodes are kind of security related, and login passwords are security related, therefore they must be the same (if you're stupid) so you must change your login password on a regular basis.

      Some people confuse two of the A's in AAA. Login passwords are for "authorization". "Accounting" is where you catch multiple people using the same login, not "authorization".

      Finally there's the idiots that think good security must be inconvenient, therefore ANYTHING inconvenient must inherently be secure.

      The only reason you have to change your password on a regular basis is basically, stupid people quoting other stupid people saying its important because they heard other stupid people saying it, aka an urban legend. Nothing more.

      Oddly enough the same morons whom claim changing passwords increases security, also believe biometrics are more secure because you can't change your fingerprint... or can you?

      --
      "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
  2. Encryption and you by Kaldesh · · Score: 5, Insightful

    I really fail to see why so many of these companies fail to use common sense. The first thing we do as an IT staff in my organization with laptops is encrypt them. Use something like Truecrypt, enable full drive encryption and set a good password. Laptop gets stolen? You're out the cost of the physical hardware that was taken from you... but the data that was on the machine? You can rest easy that you took every precaution you could to keep it safe. Of course, I work in the health care field so, any laptops, tablets, netbooks etc that have any ePHI (Electronic Protected Health Information), have to be secured. We just take our security practices a step further and do it to all of them. Which is worse? Having your users gripe a bit about an extra password? Or having data stolen? It's saved us once already as a laptop was stolen last year on a business trip.