Slashdot Mirror

← Back to Stories (view on slashdot.org)

Humans Continue To Be "Weak Link" In Data Security

Posted by CmdrTaco on from the handcuffs-please dept.

ChiefMonkeyGrinder writes "Nearly 90 percent of IT workers in the UK have said a laptop in their organization has been reported lost or stolen, new research has found. Sixty-one percent said that this then resulted in a data breach, according to the '2010 Human Factor in Laptop Encryption Study: United Kingdom,' a report produced by the Ponemon Institute for Absolute Software."

21 of 117 comments (clear)

  1. Hmmm ... by WrongSizeGlass · · Score: 4, Funny

    If only there was a way to remove humans from the equation ... can you say Skynet?

    1. Re:Hmmm ... by The_Wilschon · · Score: 3, Interesting

      Better if you could remove data mobility from the equation. If somebody leaves their laptop in an unlocked office or a box of hard disks in the back seat of their car, it's quite likely to get stolen. So, knowing that that sort of thing will happen, it seems to make sense to force all sensitive data to be stored on physically and cyberly(just woke up, can't think of the proper word here, nurrrr) secured file servers.

      --
      SIGSEGV caught, terminating

      wait... not that kind of sig.
  2. Usernames in browsers by Sigma+7 · · Score: 3, Interesting

    I noticed that browsers have a neat habit of storing userames that you've used on various sites, and help pre-fill the username field with that information.

    It would be much more helpful if those usernames didn't bleed across servers; it would really cut down on potential exploits, and helps me remember which one of my usernames for a given site is correct (especially before I crack open the encrypted volume to lookup the real username/password combo.)

  3. Security Failings by Y2KDragon · · Score: 5, Insightful

    Strong password requirements are a big part of the problem. We can teach people how to make more complicated passwords. But the draconian policies set by some sites makes it almost impossible to maintain any degree of security. Make the password requirement difficult enough, and people HAVE to write it down and keep it in an insecure location just to make it usable.

    1. Re:Security Failings by somersault · · Score: 3, Interesting

      Then have them store it in a more "secure" location like in their wallet or their keyring. Some people can't even look after those adequately of course.. but at least you'll know if you've lost them that you should change your passwords.

      --
      which is totally what she said
    2. Re:Security Failings by buruonbrails · · Score: 3, Informative

      It's because people tend to think of their passwords as words, not phrases. It's much easier to remember a simple pass phrase (e.g. "Quick_brown_fox"), than a shorter, but completely senseless random symbol combination (e.g. "gsf12mU&*").

    3. Re:Security Failings by Sycraft-fu · · Score: 4, Insightful

      Not only making it too hard, but making changes too frequent. If someone has to change their password once a month, they will have trouble remembering it. They'll make it as simple as the security will allow and write it down (maybe multiple places).

      What it comes down to is if you feel the data you are protecting is important enough that it needs to have a complex password and such, what it really needs is two factor security. Something like a SecureID token or whatever. That makes it near impossible to break in as you have to get the password AND the token and you have to make use of it before the token's absence is noted.

      Being a jerk about password policy is no replacement for a better security system over all, and in fact can make your stuff less secure than you think. You are ultimately dealing with people and as such you can't expect them to be perfect with their memories. You need to adapt your security to them, not demand they adapt.

      You also have to simply accept that there's no such thing as perfect security. You can't have a system that can't be broken no matter what. Thus you need to make it as good as you can, have defense in depth (multiple security layers such that if one is breached not everything is bypassed), and remain vigilant.

    4. Re:Security Failings by L4t3r4lu5 · · Score: 5, Insightful

      Make it long, make it simple.

      Passphrases are the way forward. Ih4t3MSoft may well satisfy Microsoft's Secure Password policy of 7 characters, one upper, one lower case, one non-alphabetical. However, it's nowhere near as secure (from a brute-force perspective) as ihaterubbishmicrosoftsoftware.

      N.B. Not Anti-MS trolling, just picking phrases as they come to mind.

      --
      Finally had enough. Come see us over at https://soylentnews.org/
    5. Re:Security Failings by Aceticon · · Score: 5, Insightful

      Draconian IT Security policies that end up achieving the opposite effect are caused by the same underlying problems as the theatrical Security that's currently done in most airports:

      • If a Well-Balanced Security policy is in place and Something Bad happens, they blame the Security guys. If a Draconian Security policy is in place and Something Bad happens they can blame the person that "went around the security" (i.e. wrote a password in a piece of paper)
      • When a new widget/software is proclaimed as the next silver bullet, if Security gets it and Something Bad happens, they're the ones blames, if they do get it, then they can blame the widget/software
      • The guy that prevented thousands of Bad Somethings never got promoted to management, since Nothing Happened. They guys that get promotions are the ones that make an Heroic Recover when Something Bad happens
      • Billions of man-hours wasted can easilly be ignored when spread over many people as many small hassles.

      The blame here is in Management - rewards and punishement are distributed on the basis of easilly observable artifacts of The Work instead of looking at the hard to define and hard to measure Results.

      This problem is very common in all kinds of professions and in most countries ...

    6. Re:Security Failings by vlm · · Score: 4, Insightful

      Not only making it too hard, but making changes too frequent.

      You always know you're dealing with someone incompetent when that's a requirement.

      You need to change your pass code on door locks because the used digits begin to look physically different than the unused digits.

      You need to change ENCRYPTION KEYS occasionally to avoid known plaintext attacks, some MITM issues, and some other esoteric stuff.

      Encryption keys and door passcodes are kind of security related, and login passwords are security related, therefore they must be the same (if you're stupid) so you must change your login password on a regular basis.

      Some people confuse two of the A's in AAA. Login passwords are for "authorization". "Accounting" is where you catch multiple people using the same login, not "authorization".

      Finally there's the idiots that think good security must be inconvenient, therefore ANYTHING inconvenient must inherently be secure.

      The only reason you have to change your password on a regular basis is basically, stupid people quoting other stupid people saying its important because they heard other stupid people saying it, aka an urban legend. Nothing more.

      Oddly enough the same morons whom claim changing passwords increases security, also believe biometrics are more secure because you can't change your fingerprint... or can you?

      --
      "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
    7. Re:Security Failings by bickerdyke · · Score: 4, Interesting

      If IT departments really would care about password security, and insist on complex passwords AND not writing them down, they should start treating a forgotten password as something normal, and not a chance to ridicule that poor guy who forgot it again.

      Whats worse for security? Resetting that poor guys password twice a week or have him trying to avoid is by using a post it under his keyboard?

      --
      bickerdyke
  4. Human is the weak link in anything by Opportunist · · Score: 4, Interesting

    Any procedure, any system, any protocol, anything fails 9 out of 10 times due to human error. Why we let these insecure parts remain a critical part in anything is beyond me.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  5. Ponemon by tepples · · Score: 5, Funny

    the Ponemon Institute

    Laptops: gotta steal 'em all.

  6. Encryption and you by Kaldesh · · Score: 5, Insightful

    I really fail to see why so many of these companies fail to use common sense. The first thing we do as an IT staff in my organization with laptops is encrypt them. Use something like Truecrypt, enable full drive encryption and set a good password. Laptop gets stolen? You're out the cost of the physical hardware that was taken from you... but the data that was on the machine? You can rest easy that you took every precaution you could to keep it safe. Of course, I work in the health care field so, any laptops, tablets, netbooks etc that have any ePHI (Electronic Protected Health Information), have to be secured. We just take our security practices a step further and do it to all of them. Which is worse? Having your users gripe a bit about an extra password? Or having data stolen? It's saved us once already as a laptop was stolen last year on a business trip.

  7. Not a great thing. by FlyingBishop · · Score: 3, Informative

    None of the IT workers recorded their password on a private document, but three percent did admit to sharing their key with other people.

    You keep your password on a private document in your pocket, you can use a stronger password, and it's a lot harder to lose both your laptop and your password.

    If you do lose one, it's easy to take steps to blacklist the other. You can even use some trivial obfuscation in recording the password so that even if someone gets it, they won't be able to figure out your password.

    Example:


    awfuieri3v
    4u9388535v
    v9tv379vn7
    mc20884v05

    That's just gibberish, but I could easily write that matrix down on a piece of paper, and then pick a path to take through it(it doesn't even have to be a complicated one, for example I could just use columns 2, 4, and 6) and there's not really much chance that someone's going to find my password. Of course there are even better examples where it's not even obvious that you're looking at a password matrix.

  8. Re:Maybe they should tie them to thier wrists by Elky+Elk · · Score: 3, Informative

    In the summary it states 9/10 know of a laptop in their organisation being lost. The organisations in question could have thousands or tens of thousands of laptops.

  9. Re:Encrypt your sh*t. Or you aren't a professional by c0mpliant · · Score: 4, Interesting

    Can't agree more. Encryption is such a basic and fundamental requirement that if you're security team isn't working on a way to encrypt your data now, they should have it already done.

    A question that should be asked more though that it currently is, is why do you need this data on easily stolen device. For example, why do customer records need to be on a laptop, why is this confidential document on a USB stick?
    In my work place, no one can transfer anything off our internal network via data transfer. USB sticks will not be detected by machines. There are no open ethernet cables so if you try to connect a laptop to the cable running into your machine, it wont work. If anyone wants anything taken from the network, they need to raise a request and then if its granted, they will get the data encrypted and placed on a USB stick or laptop of their choice. We have a record of where things were taken from, when they were, requested by whom, authorised by whom. Users may find it slightly inconvenient but our data is secure, controlled and even in the event on a lost laptop or USB stick, we know that its encrypted to a high standard

    --
    There is no -1 disagree
  10. Re:Maybe they should tie them to thier wrists by bkr1_2k · · Score: 3, Informative

    It doesn't say 9 out of 10 lost or stolen. It says 9 out of 10 people reported that a piece of equipment has been lost or stolen within their organization. There's a big difference between those two statements.

    Of course the issue still remains, people are always going to be the weakest security link. This should come as no surprise to anyone. It has always been that way, and always will be.

    --
    "Growing old is inevitable; growing up is optional."
  11. Weakest Link by kiehlster · · Score: 3, Funny

    You ARE the weakest link. Goodbye.

    I really enjoyed that episode of Doctor Who. Now I'm a little scared.

  12. Encryption isn't everything by Sycraft-fu · · Score: 3, Insightful

    I'm not saying there aren't plenty of places that encryption is useful security, but I see it far oversold as a panacea. That something is encrypted doesn't mean it is secure. A great example of that would be copy protected games or movies. They use encryption to secure their data. Often it is quite good encryption. AACS uses 128-bit AES crypto, doesn't get much stronger or more tested than that. Yet, it is all for naught. Games are cracked, Blu-Rays are copied and so on. Why? Well because the decryption key is on the disc somewhere. Obfuscate all you like, if they key is there you are screwed.

    Same deal with encryption is terms of security for your data. Encryption is useful for data in transit over insecure channels, the Internet being the main one. So long as only your computer and the remote computer have the key, there'll be no snooping on what is going on. Encryption is also useful against physical theft in the case of a laptop or something. If they grab the computer but can't get the password (and the computer isn't logged in or the like) then they can't get the data.

    However encryption isn't useful a whole lot outside of that. For example encrypting data on your desktop won't do much against a remote attack. You have to get in to said data and so when you decrypt it, the key and/or data can be captured. You'd be just as well off with unencrypted data overall. Likewise encryption does little to nothing against a social engineering type of attack.

    So I'm not saying "Don't use encryption," just that you should think about when to use it, if it is doing any good. Don't sell encryption as something you need to always do, because it isn't useful and can lead to a false sense of security.

  13. Yes by rolando2424 · · Score: 5, Funny

    Skynet

    --
    Okay seriously I've just run out of pointless things to say.