Slashdot Mirror

← Back to Stories (view on slashdot.org)

Humans Continue To Be "Weak Link" In Data Security

Posted by CmdrTaco on from the handcuffs-please dept.

ChiefMonkeyGrinder writes "Nearly 90 percent of IT workers in the UK have said a laptop in their organization has been reported lost or stolen, new research has found. Sixty-one percent said that this then resulted in a data breach, according to the '2010 Human Factor in Laptop Encryption Study: United Kingdom,' a report produced by the Ponemon Institute for Absolute Software."

12 of 117 comments (clear)

  1. Hmmm ... by WrongSizeGlass · · Score: 4, Funny

    If only there was a way to remove humans from the equation ... can you say Skynet?

  2. Security Failings by Y2KDragon · · Score: 5, Insightful

    Strong password requirements are a big part of the problem. We can teach people how to make more complicated passwords. But the draconian policies set by some sites makes it almost impossible to maintain any degree of security. Make the password requirement difficult enough, and people HAVE to write it down and keep it in an insecure location just to make it usable.

    1. Re:Security Failings by Sycraft-fu · · Score: 4, Insightful

      Not only making it too hard, but making changes too frequent. If someone has to change their password once a month, they will have trouble remembering it. They'll make it as simple as the security will allow and write it down (maybe multiple places).

      What it comes down to is if you feel the data you are protecting is important enough that it needs to have a complex password and such, what it really needs is two factor security. Something like a SecureID token or whatever. That makes it near impossible to break in as you have to get the password AND the token and you have to make use of it before the token's absence is noted.

      Being a jerk about password policy is no replacement for a better security system over all, and in fact can make your stuff less secure than you think. You are ultimately dealing with people and as such you can't expect them to be perfect with their memories. You need to adapt your security to them, not demand they adapt.

      You also have to simply accept that there's no such thing as perfect security. You can't have a system that can't be broken no matter what. Thus you need to make it as good as you can, have defense in depth (multiple security layers such that if one is breached not everything is bypassed), and remain vigilant.

    2. Re:Security Failings by L4t3r4lu5 · · Score: 5, Insightful

      Make it long, make it simple.

      Passphrases are the way forward. Ih4t3MSoft may well satisfy Microsoft's Secure Password policy of 7 characters, one upper, one lower case, one non-alphabetical. However, it's nowhere near as secure (from a brute-force perspective) as ihaterubbishmicrosoftsoftware.

      N.B. Not Anti-MS trolling, just picking phrases as they come to mind.

      --
      Finally had enough. Come see us over at https://soylentnews.org/
    3. Re:Security Failings by Aceticon · · Score: 5, Insightful

      Draconian IT Security policies that end up achieving the opposite effect are caused by the same underlying problems as the theatrical Security that's currently done in most airports:

      • If a Well-Balanced Security policy is in place and Something Bad happens, they blame the Security guys. If a Draconian Security policy is in place and Something Bad happens they can blame the person that "went around the security" (i.e. wrote a password in a piece of paper)
      • When a new widget/software is proclaimed as the next silver bullet, if Security gets it and Something Bad happens, they're the ones blames, if they do get it, then they can blame the widget/software
      • The guy that prevented thousands of Bad Somethings never got promoted to management, since Nothing Happened. They guys that get promotions are the ones that make an Heroic Recover when Something Bad happens
      • Billions of man-hours wasted can easilly be ignored when spread over many people as many small hassles.

      The blame here is in Management - rewards and punishement are distributed on the basis of easilly observable artifacts of The Work instead of looking at the hard to define and hard to measure Results.

      This problem is very common in all kinds of professions and in most countries ...

    4. Re:Security Failings by vlm · · Score: 4, Insightful

      Not only making it too hard, but making changes too frequent.

      You always know you're dealing with someone incompetent when that's a requirement.

      You need to change your pass code on door locks because the used digits begin to look physically different than the unused digits.

      You need to change ENCRYPTION KEYS occasionally to avoid known plaintext attacks, some MITM issues, and some other esoteric stuff.

      Encryption keys and door passcodes are kind of security related, and login passwords are security related, therefore they must be the same (if you're stupid) so you must change your login password on a regular basis.

      Some people confuse two of the A's in AAA. Login passwords are for "authorization". "Accounting" is where you catch multiple people using the same login, not "authorization".

      Finally there's the idiots that think good security must be inconvenient, therefore ANYTHING inconvenient must inherently be secure.

      The only reason you have to change your password on a regular basis is basically, stupid people quoting other stupid people saying its important because they heard other stupid people saying it, aka an urban legend. Nothing more.

      Oddly enough the same morons whom claim changing passwords increases security, also believe biometrics are more secure because you can't change your fingerprint... or can you?

      --
      "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
    5. Re:Security Failings by bickerdyke · · Score: 4, Interesting

      If IT departments really would care about password security, and insist on complex passwords AND not writing them down, they should start treating a forgotten password as something normal, and not a chance to ridicule that poor guy who forgot it again.

      Whats worse for security? Resetting that poor guys password twice a week or have him trying to avoid is by using a post it under his keyboard?

      --
      bickerdyke
  3. Human is the weak link in anything by Opportunist · · Score: 4, Interesting

    Any procedure, any system, any protocol, anything fails 9 out of 10 times due to human error. Why we let these insecure parts remain a critical part in anything is beyond me.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  4. Ponemon by tepples · · Score: 5, Funny

    the Ponemon Institute

    Laptops: gotta steal 'em all.

  5. Encryption and you by Kaldesh · · Score: 5, Insightful

    I really fail to see why so many of these companies fail to use common sense. The first thing we do as an IT staff in my organization with laptops is encrypt them. Use something like Truecrypt, enable full drive encryption and set a good password. Laptop gets stolen? You're out the cost of the physical hardware that was taken from you... but the data that was on the machine? You can rest easy that you took every precaution you could to keep it safe. Of course, I work in the health care field so, any laptops, tablets, netbooks etc that have any ePHI (Electronic Protected Health Information), have to be secured. We just take our security practices a step further and do it to all of them. Which is worse? Having your users gripe a bit about an extra password? Or having data stolen? It's saved us once already as a laptop was stolen last year on a business trip.

  6. Re:Encrypt your sh*t. Or you aren't a professional by c0mpliant · · Score: 4, Interesting

    Can't agree more. Encryption is such a basic and fundamental requirement that if you're security team isn't working on a way to encrypt your data now, they should have it already done.

    A question that should be asked more though that it currently is, is why do you need this data on easily stolen device. For example, why do customer records need to be on a laptop, why is this confidential document on a USB stick?
    In my work place, no one can transfer anything off our internal network via data transfer. USB sticks will not be detected by machines. There are no open ethernet cables so if you try to connect a laptop to the cable running into your machine, it wont work. If anyone wants anything taken from the network, they need to raise a request and then if its granted, they will get the data encrypted and placed on a USB stick or laptop of their choice. We have a record of where things were taken from, when they were, requested by whom, authorised by whom. Users may find it slightly inconvenient but our data is secure, controlled and even in the event on a lost laptop or USB stick, we know that its encrypted to a high standard

    --
    There is no -1 disagree
  7. Yes by rolando2424 · · Score: 5, Funny

    Skynet

    --
    Okay seriously I've just run out of pointless things to say.