Slashdot Mirror
Humans Continue To Be "Weak Link" In Data Security
ChiefMonkeyGrinder writes "Nearly 90 percent of IT workers in the UK have said a laptop in their organization has been reported lost or stolen, new research has found. Sixty-one percent said that this then resulted in a data breach, according to the '2010 Human Factor in Laptop Encryption Study: United Kingdom,' a report produced by the Ponemon Institute for Absolute Software."
If only there was a way to remove humans from the equation ... can you say Skynet?
I noticed that browsers have a neat habit of storing userames that you've used on various sites, and help pre-fill the username field with that information.
It would be much more helpful if those usernames didn't bleed across servers; it would really cut down on potential exploits, and helps me remember which one of my usernames for a given site is correct (especially before I crack open the encrypted volume to lookup the real username/password combo.)
Strong password requirements are a big part of the problem. We can teach people how to make more complicated passwords. But the draconian policies set by some sites makes it almost impossible to maintain any degree of security. Make the password requirement difficult enough, and people HAVE to write it down and keep it in an insecure location just to make it usable.
Any procedure, any system, any protocol, anything fails 9 out of 10 times due to human error. Why we let these insecure parts remain a critical part in anything is beyond me.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Like what? The code for the project I'm working on? Or are you suggesting I encrypt my entire production database that I can access over a VPN from my notebook?
If you have shit on your laptop that needs encryption, you aren't a professional.
the Ponemon Institute
Laptops: gotta steal 'em all.
I really fail to see why so many of these companies fail to use common sense. The first thing we do as an IT staff in my organization with laptops is encrypt them. Use something like Truecrypt, enable full drive encryption and set a good password. Laptop gets stolen? You're out the cost of the physical hardware that was taken from you... but the data that was on the machine? You can rest easy that you took every precaution you could to keep it safe. Of course, I work in the health care field so, any laptops, tablets, netbooks etc that have any ePHI (Electronic Protected Health Information), have to be secured. We just take our security practices a step further and do it to all of them. Which is worse? Having your users gripe a bit about an extra password? Or having data stolen? It's saved us once already as a laptop was stolen last year on a business trip.
You keep your password on a private document in your pocket, you can use a stronger password, and it's a lot harder to lose both your laptop and your password.
If you do lose one, it's easy to take steps to blacklist the other. You can even use some trivial obfuscation in recording the password so that even if someone gets it, they won't be able to figure out your password.
Example:
awfuieri3v
4u9388535v
v9tv379vn7
mc20884v05
That's just gibberish, but I could easily write that matrix down on a piece of paper, and then pick a path to take through it(it doesn't even have to be a complicated one, for example I could just use columns 2, 4, and 6) and there's not really much chance that someone's going to find my password. Of course there are even better examples where it's not even obvious that you're looking at a password matrix.
In the summary it states 9/10 know of a laptop in their organisation being lost. The organisations in question could have thousands or tens of thousands of laptops.
Can't agree more. Encryption is such a basic and fundamental requirement that if you're security team isn't working on a way to encrypt your data now, they should have it already done.
A question that should be asked more though that it currently is, is why do you need this data on easily stolen device. For example, why do customer records need to be on a laptop, why is this confidential document on a USB stick?
In my work place, no one can transfer anything off our internal network via data transfer. USB sticks will not be detected by machines. There are no open ethernet cables so if you try to connect a laptop to the cable running into your machine, it wont work. If anyone wants anything taken from the network, they need to raise a request and then if its granted, they will get the data encrypted and placed on a USB stick or laptop of their choice. We have a record of where things were taken from, when they were, requested by whom, authorised by whom. Users may find it slightly inconvenient but our data is secure, controlled and even in the event on a lost laptop or USB stick, we know that its encrypted to a high standard
There is no -1 disagree
It doesn't say 9 out of 10 lost or stolen. It says 9 out of 10 people reported that a piece of equipment has been lost or stolen within their organization. There's a big difference between those two statements.
Of course the issue still remains, people are always going to be the weakest security link. This should come as no surprise to anyone. It has always been that way, and always will be.
"Growing old is inevitable; growing up is optional."
You ARE the weakest link. Goodbye.
I really enjoyed that episode of Doctor Who. Now I'm a little scared.
Humans may be the weak link in information security, but the information is only useful to humans so its not as if we can remove ourselves from the system. Well, we could, and then go back to invisible inks, hand ciphers and cars that actually stop, but these days people probably wouldn't want to do that.
I'm glad we've moved past the Stone Age with their silly ideas about "braking systems". Things are so much better now without them.
:-)
Wargames.
Finally had enough. Come see us over at https://soylentnews.org/
I'm not saying there aren't plenty of places that encryption is useful security, but I see it far oversold as a panacea. That something is encrypted doesn't mean it is secure. A great example of that would be copy protected games or movies. They use encryption to secure their data. Often it is quite good encryption. AACS uses 128-bit AES crypto, doesn't get much stronger or more tested than that. Yet, it is all for naught. Games are cracked, Blu-Rays are copied and so on. Why? Well because the decryption key is on the disc somewhere. Obfuscate all you like, if they key is there you are screwed.
Same deal with encryption is terms of security for your data. Encryption is useful for data in transit over insecure channels, the Internet being the main one. So long as only your computer and the remote computer have the key, there'll be no snooping on what is going on. Encryption is also useful against physical theft in the case of a laptop or something. If they grab the computer but can't get the password (and the computer isn't logged in or the like) then they can't get the data.
However encryption isn't useful a whole lot outside of that. For example encrypting data on your desktop won't do much against a remote attack. You have to get in to said data and so when you decrypt it, the key and/or data can be captured. You'd be just as well off with unencrypted data overall. Likewise encryption does little to nothing against a social engineering type of attack.
So I'm not saying "Don't use encryption," just that you should think about when to use it, if it is doing any good. Don't sell encryption as something you need to always do, because it isn't useful and can lead to a false sense of security.
Skynet
Okay seriously I've just run out of pointless things to say.
...without strong countermeasures to prevent the data from being exploited?
I guess I don't understand why, if some chunk of data is critically important, that the organization would allow it to be dragged out of the office on a laptop. The data should be required to stay in the office with access from outside the office only on a business-critical basis and with strong security requirements (ie, VPN-only accessable terminal server, all using RSA tokens).
And if it MUST go out of the office on a laptop, why aren't very strong encryption measures being taken into consideration, including whole-disk encryption with failed-access data wiping?
I see so many people with laptops who don't really need portability. Most of the time they have a laptop because it's a token of their importance to the organization or some kind of freebie (they have a desktop, too, but the laptop is so they can "work from home" but is really just a free home computer).
The other thing weird about this is that 61% of the lost laptops resulted in a security breach! Most of the people I've dealt with who had laptops were by and large wankers with company data of interest to almost no one; at worst you might be able to reverse a cached password or raid the browser passwords for something trivial.
And who is stealing laptops? In the US, a lot of that theft is just petty theft for quick cash -- drug addicts, gang members, losers looking for something they can pawn or turn on the street for $200. It's really not info security experts.
... is because computers do exactly what they are told to do.
If you know nothing about the password at all, yes it can be more secure. However, if you know it is a passphrase, then you can work on it as such. Rather than brute forcing using character combinations, you use work combinations. Maybe your program also has grammar rules in it so it can make more intelligent choices in words. Of course against that you can start doing letter substitution but then you start having complexity problems again and so on. Also there's the problem of someone finding out your password, if it is very complex even if they see it they may not be able to remember it, but a phrase may be no problem. Etc.
What it comes down to is there's only so secure a password can be. How secure largely depends on the individual. Some people can handle long, complex, passwords. Others need things real simple.
Hence why, as I noted in another post, if the data you are securing is really so important, get two factor security. You can't force humans to be good with passwords so don't try. Use passwords as a part of a better security solution.
You can have your shit locked down 6 billion ways to Sunday.
The minute you introduce the human element into it, you have a massive security hole that can be patched, but NEVER closed.
You can train and train and train. Ennui sets in and their brains shut off after a while.
You can have the most draconian policies regarding proper usage. People will still circumvent it, accidentally or deliberately.
You can fire people. It just creates ill will and the damage is already done.
And, if it happens to be the owner of the company doing the circumvention there's jack and shit you can do about it.
I'm sorry, but anyone who tells you that security is about "keeping the bad guys out" is SELLING YOU SOMETHING (see: "How much for my large and stinky pile of crap?"). Nothing more.
Security is about putting enough roadblocks in place that attackers begin looking for easier targets so they can maximize their returns on time invested.
If someone wants into your systems bad enough, THEY WILL GET IN. Period.
The job of security is to make this interval as long as possible so they can maximize the chances of catching them before they get in or forcing them into something spectacular and HIGHLY traceable.
Chas - The one, the only.
THANK GOD!!!