Slashdot Mirror
Ask Slashdot: How Can We Create a Culture of Secure Behavior?
An anonymous reader writes "Despite the high news coverage that large breaches receive, and despite tales told by their friends about losing their laptops for a few days while a malware infection is cleared up, employees generally believe they are immune to security risks. They think those types of things happen to other, less careful people. Training users how to properly create and store strong passwords, and putting measures in place that tell individuals the password they've created is 'weak' can help change behavior. But how do we embed this training in our culture?"
Users are gonna do stupid things when it comes to security. Trying to fix that is a noble goal, but good luck.
The direction we need to keep going towards is idiot proofing. Assume the user will screw up and mitigate or eliminate the impact.
Perhaps we could take the lead from government departments already tasked with maintaining security, hold on, let me google this ... I'm finding 'Transportation Security Agency' and 'National Security Agency'. That should be a good start.
In my experience, a company with high employee morale has people who will tend to listen and follow security procedures, even when it might be time consuming. Even small things like stopping someone who slips past a door without badging in, or asking who someone is who is in a building without some ID.
With poor morale, there isn't much for the people to bother with security. I've seen companies try to save money by offshoring... then lose a lot more due to breaches than they would have spent by keeping existing talent in house.
We can start by making the software developers use type safe languages (Ada is one such example) so we have fewer of these problems to deal with in the first place.
Using C is irresponsible when better alternatives exist.
Strong passwords are useless - well, they're useful only against a brute-force attack and that's not the big threat anymore. A 64-character password is worth nothing against a phishing attack, and is worse than nothing if you have to write it down.
Maybe the cure is to have the incoming mail server destroy all clickable links (or point them at an internal "you will need to navigate to that URL manually" warning page, and simply delete anything executable.
While it may seem draconian, the best way I've found is to start from the ground up with recurring training. Make the training mandatory, but unobstructive, and ensure you get the people to sign they understand the rules. You'd be surprised just how much of a difference you will get from anyone if you have a piece of paper with their signature on it, there just isn't the same value in an emailed "ok, I got it".
There is a delicate balance between security and convenience, so you need to make sure that whatever you do to your end users doesn't bother them too much. Having purely random passwords is sure to get them to write it down and stick it under their keyboard. Having too loose of passwords is what will get you on the front page. However, if you can give them some leeway while maintaining some length and complexity in the passwords (i.e. pointers on using passphrases or self-made acronyms), you can go a long way. You might make a game out of your training too, give out some cheap prizes like lollipops or something, for various categories of passwords that the users create as part of the training. Who can make the best 24 character password? Who can make the funniest 12 character? etc... Engage them, give them something to remember, but hold them accountable for their (lack of) actions as well.
How can we create a culture where there is no incentive to hack or steal?
It's high time we stopped using the term 'password'. Those in the know realise by now that a word or words is no good.
I'd like to suggest replacing the term with 'passcode'. For those who still use passwords, it might encourage them to cease and desist. Or maybe not, but it would surely be worth a try.
This is a great question, and one that plagues businesses of all sizes. Based on our experience writing security training and consulting companies on the best ways to plug the security holes in their organizations, it comes down to three things: 1) Spelling it out: A proactive approach to security awareness includes open lines of communication, telling employees exactly what sorts of things to look out for. One major mistake that corporations often make is assuming too much—mainly, assuming that their employees know how to identify malicious situations over the phone or through email. Instead, spell out the situations that may trip them up, either through policies or training. 2) Repeat, repeat, repeat: Even in companies that make a concerted effort to raise security awareness among workers, there is a tendency to backslide into comfortable complacency unless the danger is kept at the forefront of their minds. This doesn’t have to be onerous for management or irritating to employees, since there are so many effective ways to make security awareness a part of a worker’s daily experience. E-newsletters, security briefs, and clever, eye-catching security awareness campaigns are a few ideas. 3) Create a culture of teamwork: Often, corporate environments in large companies use impersonal policies to “teach,” hoping to generate desirable behaviors with a “Don’t think, just do” mentality. This approach makes employees feel like a tiny cog in a huge machine, a piece not worthy of more than minimal information. Smart employers give employees more credit. An attitude of inclusion should permeate every policy, every training campaign, and every common area. A real “good guys vs. bad guys” attitude makes everyone feel like part of a team that is working toward the common goal of security.
good luck with that 40 yr old secretary that still hold old behavior at heart. Computers have good memories, people have crappy shitty memories. Thats why they tend to use words or something similar to what they know instead of gibberish random password generator for their security. I've seen people in high places which holds sensitive info that could easy kill a person if that info is leaked and they still used weak passwords... I've tried to tell them everything I can to use good behavior and it's a difficult challenge.
Then the people who don't deeply care about using computers properly won't use them except for boring business stuff, and then we can replace Windows with z/OS or OpenVMS and all those PCs with terminals.
"I don't know, therefore Aliens" Wafflebox1
Security isn't a destination! It's a journey! Often with potholes, tornadoes, zombies, and other obstructions along the way.
You want your environment secure? Implement rigorous security training for all personnel, and make sure your admins are on their game! I.e. pay them enough to warrant the time that's required for that type of time/knowledge investment across your entire enterprise.
Are your Admins following the bug reports, ON EVERYTHING, or actively searching for firewall or software holes?
Cars are not idiot proof, but we require that people be licensed and pass a test to drive them
Of course it will be the death-blow of the free-and-easy interwebs that we love much, what with them pesky net-cops passing out tickets for unsafe behavior
Sigh... every frontier has seen its freedoms fade as the masses trounce forward, I suppose that this was inevitable
Unless... unless... we could just freaking expect people to not act like total asshats, follow some simple rules and accept that they are going to get mugged if they do not follow the rules...
naw, that could never happen
Come on if this has not been posted to slashdot recently it should have
http://www.nucnet.org/all-the-news/2014/03/17/safety-culture-protected-japan-s-onagawa-nuclear-station-researchers-say
...by monitoring everything, duh!
So until the software (or hardware) necessary to make systems more secure improves a great deal people won't use it. I can't say what the nemchmark is for user tolerance / acceptance, but if I had to guess I'd say is was about 1 second of "automatic" activity, zero intellectual input and one simple mechanical movement. Implement that and you've probably invented computer security.
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
People can't be bothered to take moderate, reasonable precautions with their own LIFE-PRESERVING behaviors, you think that they're going to be motivated to change their behaviors because some tech has to fart around with their laptop for 3 days re-imaging it?
Seriously, people need to stop assuming that humans aren't just hairless primates with a knack for tools and language.
-Styopa
Sure, just was devs need, more users, who never requested a feature in the first place, coming in and demanding that a particular language be used in the implementation because the read an article about how its 'more secure'
Welcome to my nightmare, this rarely works out well
And for the inevitable, 'why didn't you make it secure in the first place' comment
fuck you, fuck you fuck you and your childish, 'I changed my mind, I don't want it fast, I don't want it cheep, I want you to read my mind and know the future and give me something that I can't break because I am a fucking idiot... and I need it tomorrow' attitude that makes everything somebody else's fault
People still drink and drive, smoke, do drugs, and have unsafe sex despite years and sometimes decades of having admonitions against all of those things embedded in our culture. Why? Because people still "think those types of things happen to other, less careful people." It is human nature, hubris, and magical thinking all rolled into one.
There is no "-1 offended" or "-1 you don't agree with me" mod options for a reason.
As long as there is incentive to skip security and get things done.
ie. let the nerds in IT worry about security - I'll worry about selling/making/doing and getting my bonus.
So technically I guess you could do something to foster this sort of secure behaviour but it won't happen because the powers that be don't give a shit.
So yeah, you can't.
If we execute anyone who has more than one security issue, artificial selection will fix this for us in future generations.
Right now we're probably genetically predisposed to risk taking (men more than women).
It would require eradicating laziness, ignorance, and plain old stupidity. Manage that and life would be such a paradise that you probably wouldn't need security in the first place.
Despite the high news coverage that large breaches receive, and despite tales told by their friends about losing their laptops for a few days while a malware infection is cleared up, employees generally believe they are immune to security risks. They think those types of things happen to other, less careful people.
Untrained users are not the cause of large breaches. Malware infections happen to even the most careful users. In other words, training users and trying to change your company's culture won't make a significant difference.
Encrypt the laptop before a user can touch it. Make sure a decent virus scanner is running (and keep your fingers crossed). Get well trained sysadmins who see their job as keeping your network and servers as secure as reasonably possible.
Same way as every other behavior: reward desired behavior and/or punish undesired behavior.
I am not a crackpot.
People are used to guarding against security threats, but are always defending against old ones. By the time you get everyone trained in defending the threat, the attackers have already moved on to a new one. The only way to defend yourself is have a small group of people who can anticipate or react to the ever changing threat and have them defend everyone else. Unless you are primarily interested in security, they will never focus on preventing new attack avenues.
Users are not the problem any more. Crap code is the problem.
C is the source of buffer overflows. Microsoft is the source of autorun problems, or "if it's executable, run it". PHP is the source of most SQL injection problems. Vendor-installed backdoors are the source of most router vulnerabilities. None of these are end-user problems.
Where the hell are my mod points??!! I'd mod you up to 9000 if I could.
Heartbleed would simply not have happened if OpenSSL was written in Ada or another type safe language.
That is a extremely convincing argument for abandoning C style languages in favour of type safe ones when writing core libraries.
Right now there's a lot of commandline work that goes into making something secure.
Some people won't respect fire until they get burned.
Heartbleed would simply not have happened if OpenSSL was written in Ada or another type safe language.
Right you are. Heartbleed happened because everybody was _using_ OpenSSL. Fix that and the problem goes away.
When you start firing people for not following security policies. that is the only way. Look at what happens now you get a virus and what happens IT fixes you computer and you are maybe slightly inconvenienced for a short time while you wait for them to replace or re-image it. The whole time you and your manager get to yell at IT for not fixing it fast enough even though it was caused by you clicking on that email from the Nigerian prince for the 5th time this month. There need to be individual consequences or nothing will change.
Well, they are immune. It's their employer's computer that's at risk, not themselves. I couldn't give a rat's ass for my employers' computers. Securing that is the employer's problem, not mine. I'm not forgetting about identity theft and my personal information. There's no way I'll tell somebody else's computer (with nebulous security regimes designed by others) anything personal about myself. I'm not a fool.
Many of those nitwits won't even let me install less sucky web browsers, so fsck 'em! Live by the sword, die by the sword. They can consider it an expensive education on their part, until they smarten up.
In my 25 years working in IT, none of my passwords, weak or strong, have ever been hacked. Even my teenage sons, who have no idea about password strength, or site security, have never been hacked. And I doubt YOU can point to a single instance of someone hacking YOUR password.
Does password hacking happen? Yes, of course. Should we be careful? Yes. But there are much greater dangers, such as malware (which you no doubt HAVE had a personal brush with).
So if we need to put up with annoying security measures, let's at least focus on the more relevant dangers, rather than forcing us all write down our passwords and stick them to the bottom of our keyboards!
I've recently learned a new definition of security, one that's a little bit different from what I'd thought about before.
A secure system is a system that continues to work as expected, even in the face of unexpected events.
Users like a system that works the way they expect. They don't like crashes, endless popups, and systems slowed to a halt by malware.
So teach them the benefits they can expect. You can have a fast, trouble-free computer by doing x, y, and z. Clicking on "virus alerts" makes your computer slow and prone to crashing. Opening unexpected PDF files causes a huge hassle of needing to change your passwords and all that mess.
For a company of decent size, having some sort of mandatory training may be in the realm of possibility, but good luck with all of the small business (20 employees) out there. My company provides IT services to these types of businesses, mostly medical practices. There is no way to do anything other than individual, one-on-one training, and then only after something has already gone wrong. The owners don't want to pay for our time, and the staff are simply too damn busy to deal with it. This could just be a medical office thing, but I doubt it. It seems like simply being a "business" is itself a hindrance to instilling safe habits. At least with my home user clients, I have the time to educate them in a way that resonates. Back when I was in school, "computer class" was typing, a little BASIC, and that's about it. I wonder if there is anything in the current curriculum regarding safe surfing and proper security practices?
A number of years ago I worked for a large (Global) company that wanted to make their new ticketing system secure. So they implemented a new password standard for the system that required a 35 character password, it reset every 30 days, and required 5 non-alpha numeric characters. The result? Within a week everyone in my department had their passwords written on a post-it note stuck to their monitor. The biggest problem with network security is usually the network security department.
Use common sense 2 factor authentication that's not too difficult for your users to comply with and they WILL comply. Make it overly complex and hard for the average non-tech person to understand and your own people will undermine all of your security efforts. Publicly fire any employe that violates your simple rules and it will quickly become apparent that adhering to those easy to follow rules is worth the effort.
And in the corporate world there is the problem of status. People higher on the hierarchy do not like being told that they cannot do something by people lower on the hierarchy.
And if something goes wrong then it is YOUR fault because "security" was YOUR responsibility.
The problem there is that software has all the problems of a magical system. If you do A, B and C and then expect D to happen ... maybe it will, maybe it won't. Had you previously done X, Y or Z without rebooting?
There was a CAD program that had a problem with memory fragmentation. Even if you closed the previous files, eventually you ran out of contiguous memory and then your computer would complain about "issues" when you tried to open a file larger than your available contiguous memory. So first thing in the morning everything was fine. But around lunchtime things got weird. And the weirdness wasn't evenly distributed. On Monday, Alice would have a problem but Bob would work fine. On Tuesday Bob would have a problem but Alice would be fine. Etc. .....
And that was a problem that I could diagnose. There are hundreds more where all I can say is "perform the rite of reboot" and only open the app you have trouble with right now and let me know if it's still having trouble my god what are all those apps that are loading on start-up.
if they don't.
Penalize negligence, just like we do IRL.
Unless people have some training or background, thy will proceed blindly along until something actually Makes them pay attention.
Start with such basics in high-school, or even earlier than that. Explain (and mark their understanding) of things like strong vs weak passwords, and simple security procedures. E-mail safety tips. Good file management practices. Even basics like how to take care of a keyboard and/or pointing device would go fairly well in such a course.
Oh. Almost forgot: MAKE IT MANDATORY! Nobody gets to use the school computers/labs (even Office Staff) if they don't show proficiency. No personal systems should be allowed access to the school network without a valid certificate either, lest they infect the whole thing from their own carrier box. Ban those who violate the practices and cause problems. Make them responsible for what they caused, and Sit Through the repair procedures with a technician as an additional education in what happens, and what has to be done to Fix things, or no forgiveness, and therefore, no regained access! Give them a sense of what they are avoiding, and even what to do to fix a problem on their own system, should they get afflicted at home.
Start 'em young, and train them in the ways of the system. The results will be worth the effort.
Seriously: If people don't show they are responsible enough to use the school (or company) systems, they have no business accessing them, and probably shouldn't be working there in any capacity.
It's not known exactly how to instill a culture of paranoia, but one idea is to subject employees to traumatic experiences involving police and/or gangsters.
First off, stop worrying about passwords. Most malware doesn't get into systems by way of an attacker cracking passwords. It comes in in ways that bypass passwords entirely, either by getting a user to run it or by getting the user to give the attacker their password.
Second, look at your management culture. Do you expect your employees to routinely click on links in e-mail? Look for things like HR or IT sending e-mails that instruct people to follow links they've provided, or "secure" or "encrypted" e-mail systems that store the messages on Web servers and expect your employees to use a link to get at the contents of the "secure" or "encrypted" message. If you find such things, realize that you're training your employees to be insecure, because you're training them to expect to do as a normal part of their job exactly what the malware will need them to do to infect their systems. Start by removing such things from your management culture. If you need encrypted e-mail, do it within your own e-mail system so that users never need to follow links to read encrypted or secured e-mail. Outlook and Exchange offer this directly. If you need to give employees links to internal web applications or documents, create a Web page or site with a directory of links and train your employees to use a bookmark in their browser to access that site and navigate to the appropriate section where you'll put all the new links they need.
Third, look at your IT policies. Not the ones you wrote, the ones you expect employees to follow. If your policy manuals say "No user-installed software." but your actual policies require users to get and install software from outside, you have a problem. It can be as innocuous as sending zipped archives while not having a program to handle them pre-installed on user computers. It can be as pervasive as not having your IT able to support the myriad of tools your developers need, most of which will by definition not be the kind of thing most desktops would need. But every time you have a situation where what you expect of your employees requires software you didn't pre-install on their systems and where it'd negatively impact an employee's job performance and more importantly their performance evaluations if they refused to install that needed software themselves, you're creating security problems. Sit down and decide how you're going to address this, then address it. It can be as simple as a page of "approved" links to sites you know are safe and where employees can get all that useful software that gets used every day.
Fourth, evaluate your software update policies and IT budget and staffing. If your IT department doesn't have the staff or the budget to monitor the vendors of all the software in use in your organization, test changes and push updates out to your desktops and servers, you need to re-evaluate your IT budget and staffing levels. You need to get most updates installed within 30 days of their release, and you need to be able to get major critical security updates analyzed, tested and deployed within 24 hours. Your IT staff can't do that if security updates are a side item they're expected to handle in between doing everything else. If management wants security to be a priority, they need to back up their words with the resources and budget departments need to make it a priority.
Yes, a lot of that comes back to management. Attitudes towards security come from the top. More importantly, they come from what those at the top do and expect rather than from what they say.
I used the same approach my requiring my users tattoo their passwords on their foreheads. Eventually my user base dropped to almost zero...but for those who stayed I did see an interesting trend. Passwords like %uS*32Ldi# started prevailing because passwords like wafflebunny make for an embarrassing tattoo.
My empoyer periodically sends out convincing phishing attacks to employees. You click the link, you get a clear reminder that world is unsafe. It doesn't address all concerns, of course, but helps keep security in people's conscious mental mix.
Since it's MOST used worldwide on PC's & Servers combined: A good read (by "yours truly" that actually got me PAID for it no less - "the Lord works in mysterious ways") -> http://www.bing.com/search?q=%...
* It uses a HIGHLY ESTEEMED tool http://www.computerworld.com/s...
(Whose makers have taken a few of MY suggestions to improve it no less)
CIS Tool actually makes it "fun" to do (in a nerdy kind of way) - almost like a performance benchmark software does, albeit, for security instead!
It works!
APK
P.S.=> CIS Tool is also MULTI-PLATFORM capable (not just for Windows users, but also *NIX variants of many kinds as well)...
... apk
Well, you have to start somewhere, right?
Windows 2000 - from the guys who brought us edlin
The first question is not actually how you can create such a culture, but whether it's actually a good thing in the first place. You seriously need to evaluate this. One of the primary means of being secure is not trusting others. But trusting others is an incredibly useful tool to get things done, and it may be worth taking the security hit. Stand on a crowded railway platform, and you're trusting so many people, each of whom could push you off and kill you so easily, without even thinking about it. Without trust, society itself would be impossible.
So for example, if everyone believed they were immune to the security risk of terrorism, this would very obviously be such a good thing for society. There have been security economic analyses done of various security measures recommended by security guys, thinking their users to be fools who just wouldn't listen, which established that the users who ignored them were actually completely right, that the cost of implementing these measures was hundreds of times greater than the benefit of preventing the attacks they were effective against.
A security professional who thinks doing things securely must always be a priority just because that's his field, instead of taking the time to gain a more holistic understanding of the situation, deserves to be ignored.
Sue them for negligence when circumventing security actually results in damages. If I get fired for not skipping a security thing and missing my deadline, and don't get fired when I meet the deadline but infect the network...
Suppose I have a private office with a lockable door, do not anticipate being targeted for physical espionage, and personally know everyone who has keys (except the janitorial staff). How is writing 'horse correct battery staple' on a sticky and putting it under the keyboard worse than forcing password to empty? This is exactly as effective as memorizing "348Chj#(hf.4%!g'; DROP TABLE Students; 'fh2^*Hcvbmmz" at preventing anyone who does not have access to my office from accessing my computer.
I worked in the CS division of a US National Lab last summer - yes, people there have left their laptops alone in a conference room while they go pee, and come back to find someone attacking their machine. We were under advisement to always, always, always lock screen if you're away. If we are worried about casual espionage attempts, I'll keep the sticky note in my wallet.
If you wish to evince a scenario where either my home will be burglarized and/or myself physically attacked so they can steal my credentials, or my computer will be physically attacked and compromised, then we're past the point where storing the password only in my neural engams is sufficient so the argument is now moot.
make the SOBs sign a finalized specification and then throw it in their face when they get stupid, saying, "OK, you can have the new stuff you now demand if you tell me what in this spec you don't want or how much more time you will give me". If they won't sign a spec or won't deal with the realities of mission creep, get their asses kicked from above.
Culture is easy; it's the implementation that's hard.
Every single day people make a value assessment about what they should do: do I be lazy and post on slashdot or do I finish my assignment? If I can get away with being lazy without finishing my assignment, I'll be lazy and procrastinate. If I value discipline and the joy of hard work and a job well done, I'll finish it early. Etc etc.
Culture is simply a single world that assesses what a community of people value and do not value. So the key to embed something within your organization's culture is to MAKE it valuable, either through a system of rewards/punishments or some other method; essentially testing your user group's security habits and rewarding those who are good and lightly punishing/training those who are bad.
The problem with that method is it takes time and resources to implement a program like this, so you will likely need some higher up approval to do so. Culture in an organization like a company usually comes from the top, so you need a higher up as your champion, because that higher up will create a policy that grants you the power to give out rewards and punishments etc.
Higher ups in an organization are usually concerned with efficiency; typically that means cost. So what I would do is create some sort of explanation or proposal for a higher up, explaining the costs and risks (and if you can quantify the risks in terms of dollars that's good) of having bad security habits, and outline a program that would encourage it and what program would cost in terms of hours/costs to the organization. Sold right, they will grant you the power and authority to implement the program, and if they are the champion of it bringing it to the organization as a whole, the others will fall into line.
The key though is also value. When you understand the costs and risks of a security breach, is that risk and cost high enough to warrant a program ensuring proper safety protocols? Value is absolutely key.
1. It's annoying.
2. Most people don't think like that.
People are not built for that kind of caution.
My blog: http://www.seebs.net/log/ --- My iPhone/iPad app: http://www.seebs.net/seebsfrac/
I'll probably be modded down for this but the most effective way is to pwn the users to show them that they are merely bitches that any moderately skilled geek can defraud completely. Since they only learn from being fucked over, being fucked over is the only way they learn - otherwise you are just considered to be paranoid.
Repeat this for every user you meet and add the strange looks you get from them when you do things a secure way.
My ism, it's full of beliefs.
If your users can do their job, then obviously IT Security is not doing theirs and stricter security policies are required!
A culture of secure behavior is a culture of paranoid, suspicious minds.
We can't go on together, with suspicious minds, and we can't build our dreams on suspicious minds. We're caught in a trap, and I can't walk out. ...because I love you too much baby.
What lies, Zontar the Mindless? See January 2008 winners http://techtalk.pcpitstop.com/...
* ... & as-per-YOUR-usual, vs. myself? "EAT YOUR WORDS..."
I see you haven't managed to eat them ALL yet (lol) after your failed attempt @ libeling me -> http://mobile.slashdot.org/com...
APK
P.S.=> As to my subject-line, for anyone's that curious on that account? See here (Zontar admits TrollingForHostsFiles is HIS sockpuppet, SEVERAL times) -> http://slashdot.org/comments.p... (What a TOTALLY reprehensible little scumbag that Zontar the Mindless is...)
... apk
Requiring users to change their password often and requiring long and "strong" passwords that are difficult to memorize is not the answer to better security. This results in people having to write down their password someplace convenient for them (and any nefarious people around). This is well demonstrated by the movie "Ferris Bueller's Day Off" where the main character find the schools' passwords taped inside a desk and alters his and his friends grades. It also trains users, and the help desk, that they will have to reset their password often. This has the effect of making the actual passwords irrelevant to security. All a nefarious person has to do to gain access to the system is convince the help desk that they are an employee that needs to change their password.
Our company, for example, uses Linux and measures uptime in years. Machines are rebooted for CPU and kernel upgrades and that's about it. Hard drive upgrades don't require a reboot, and they sure as heck don't crash. One machine had a bad memory module that caused a crash. We don't have users or software that crashes.
That definition absolutely includes what this thread is about. TFA talked mostly about malicious email attachments. When you do that, things stop working right. The discussion has talked about poor passwords. When your poorly chosen password is cracked, things stop working right. Using a good passphrase helps keep things working they way you expect them to work.
As bender would put it "kill all humans"
because if any of us remain the likelihood of us being careless and stupid is guaranteed
A culture of intense security awareness is a scared culture. Knowing that your colleagues are not going to leave a gap in to your file servers is important from the perspective of keeping your data safe from potential outside threats, but a state of persistent distrust is going to ultimately hamper the work of your organization through dehumanizing its members and tying them up in procedure.
A few simple policies and a few general guidelines should be the extent of an active security presence in the wider culture of an organization, with the exception of people specifically there to deal with security issues or sensitive items.
Myu:
The first step would be to reduce the number of separate passwords that have to be used. That means minimizing/eliminating the use of outside vendors that interact with your users via the web. If there's some vital human resource service that is needed (testing, training, employee reviews, whatever), bring it in house rather than contracting it out to an outside vendor. Because every single outside vendor you use means another set of credentials to be maintained.
The second step would be to eliminate password expiration. This may mean eliminating people in your organizatoin who think that password expiration is necessary. Depending on that person's position within the company, that might be as simple as telling them to knock it off, or might involve a complicated scheme to convince another company to recruit them away. When all else fails, compromising photographs are always effective.
But as the situation stands, I have to maintain half a dozen passwords, many of which I only use once or twice a year. So they are written on a post it note in my desk drawer. Sure, that pisses off the data security people. But before they steal that they'll nip the $200 backup drive sitting on my desk.
Easy Online Role Playing Campaign Management
Be a dick. I steal employer-owned equipment when employees leave their offices or desks unlocked. I leave notes on their desktops detailing what I could have done instead of just leaving a note when they leave their computers unlocked. When they start to say their password, I start making loud noises to make them shut up and then explain they should 1: never say it out loud. 2: never tell anyone. 3: especially never tell anyone in IT; IT can get in your account whenever they like without knowing your password anyway. When they root their laptop (can't lock it down completely; it's a laptop), I reimage it and explain company policy regarding end-user use of administrator accounts and proper privilege request procedures.
A large part of being a sysadmin or desktop support is being the little brother of the BOFH because even other IT folk (developers, project coordinators, database admins, backup operators, sysops, and yes, even desktop support and sysadmins) aren't paranoid enough to buy into the necessity for a culture of secure behavior. It takes a jerk to make end users have a portion of their subconscious say "What would the BOFH do here?" or at least "If I leave my door open while I go get my coffee, BOFH will steal my stuff" which, while not the intended mental result, does turn into the preferred physical result.
How many times has one's smartphone been infected by malware? How many people do you know whose smartphone was infected by malware? What about tablets? The problem has already been solved by shifting to a different type of computer than a PC.
I work at a large IT company and there is so much fragmentation and inconsistent security policies that seem to come from knee-jerk decisions by middle managers that have been chewed up because of specific security exposures.
This ends up being difficult for an end user as you end up jumping through extra loops for a service that less important that the one you normally use.
Security personnel, don't listen to reason, they just perform their goosestep and salute to the leader.
If I find a loophole to make my life easier I will use it.
Companies need to realize security needs to be thought out and need to be integrated properly, not a strap on what I see used by large companies.
The first problem is security through stupidity that you see all over the place. This is where you are required to change your password every x months, or days. It has been found that the maximum number of password changes per year, without storing it, is 2. That is maximum. It is still recommended to have people change their password, but currently the recommendation is if you do, to set it to once a year. I think Microsoft on their server products has this set to 3 months by default.
Low maximum password length. While it is expected there will be some length limitation. I have found places that limit you to 8, or 16 characters. Space is pretty cheap these days, can't you afford to store 50 characters, or more as the maximum? Also there are some places that require you to have really high minimum number of characters. 12 as a minimum is too high, 6, or 8 I see as more reasonable. I am constantly boggled by the places that require exactly x characters.
My other personal favorite is only allowing alpha, or numeric characters. Honestly, why limit which characters can be used?
On the other hand, requiring at least 1 character from 4 different groupings is also a bit excessive. Having to require from 2-3 groupings may be okay.
Basically many of the problem I see come from putting limitations on password that make it harder for people to remember their passwords, while making it easier for people to guess the passwords.
Also if you have a forgot password feature with a limit of number of tries. Make sure you warn the person before they are locked out, so they can use the forgot password feature. There should be a limit on the number of tries of a password, as not having this allows people to brute force the password, which is one of the more common ways getting passwords.
Microsoft, Apple, Google, Amazon what's the difference? All steal money from devs and control with walled gardens.
Troll your user base, trying to get them to do things they should not. Then publish the results.
I learned a long time ago that social pressure is a powerful weap-, er, motivational tool. Seriously, there needs to be a price to be paid for engaging in insecure behaviours. You want it to be low enough that people don't fear for their jobs but high enough that they are uncomfortable and motivated to change. So embarrass them. It's a good fit for the problem.
It's especially effective if some high-level staffers get caught and outed. If the workforce gets the message that "we're all in this together, it's a priority and management wants it done" then it will be done.
Our current problem is that security is seen as IT's problem. There are few if any repercussions for an average staffer doing something really dumb, so long as they had no malice or intent to breach security. This reinforces the image that security is a technical problem that is the sole responsibility of one department. If you don't change that then you'll never get a secure culture. To the point of the OP, a culture change cannot happen when it is delegated to one specialist department.
Accountability. Fuck everything else. Make people own up to their mistakes which cost the company (including the CxO suite). It doesn't matter if its security, ethics, or pick a topic of your choice. If they won't be caught/punished, you sure as hell can bet they won't care.
This goes for all layers involved - users, IT admins, and management. I lost three months of work to the Blaster worm in 2003 because IT wouldn't give me Admin privileges so I could secure my own workstation (remember kids, this was before XP implemented a firewall in SP2 in 2005). Why did IT not allow it? Because management wouldn't allow it.
Accountability. Fuck everything else. Make that work and everything else will fall into place.
Sure, just what devs need, more users, who never requested a feature in the first place, coming in and demanding that a particular language be used in the implementation because the read an article about how its 'more secure'
Heh. That reminds me of a meeting some 15 years ago. Java was gaining a strong foothold as an enterprise app development language at the time (especially in IBM Global Services, which is who I worked for), and at the same time we were living through a seemingly neverending series of Java sandbox security defects. Running code automatically downloaded from random websites in your browser is a devilishly hard thing to make safe, but that's completely irrelevant to enterprise software.
But the fact that the two contexts are completely different didn't prevent a clueless PM from boldly asserting (to the even more clueless customer!) that using Java is a bad idea because "it's insecure". I was the lead architect on the project and I had a hell of a time convincing the customer that the PM was wrong and that Java was, in fact, a good choice for the application. Especially since it would be impolitic to just come out and say the PM was full of shit, since he was ostensibly on my team.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Ada would not have affected the "goto fail;" bug, since that was simple repetition of a line. If I understand Heartbleed correctly, it wouldn't have helped there.
Not to mention that any idiots who mangle C like that for the sake of a few additional cycles (really, calloc() instead of malloc() would have stopped that bug cold) are going to manage to screw up in any language.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
When you put a road block in that person's way what will he do? He will find the easiest way around your road block and just do what he wanted anyway, regardless of how bad it is for him.
Most drugs are bad for you and also illegal, but people still find ways and take them.
Speed limits and other road rules exist for a reason. Ignoring rampant revenue raising, if there is a posted limit for a road you should be safe to assume everyone is travelling at or below it. Nope, there's always bunch who want to travel at the detection threshold above the posted limit. There's even a few arrogant bastards who feel it's their god-given right to travel at any speed, anywhere, swerving in and out of lanes to get around more responsible drivers, and even overtaking dangerously on the wrong side of the road.
Look at ATM cards as an example. Most people choose the shortest PIN their bank allows and probably the most memorable. How many cover the keypad when they enter their pin, or even check the machine for obvious signs of tampering?
Look at FaceBook. How many people load up every tiny detail of their life into Facebook, despite it being widely documented that Facebook is building profiles to sell to advertisers. How many people use the 'check in' feature from home while posting photos of all the lovely expensive stuff they have in their house? Then they post vacation photos and check in from half way around the world. They may has well put a sign on the door that says "house full of lovely stuff, owner away from house for 1 week". Try to explain that to people. You get called a tin-foil hat paranoid loony. when you try to explain it. "Nobody would want to spy on *me*", they say. "I'm not doing anything wrong, I've got nothing to worry about", they say (that one applies to the whole Snowden revelations too. "None of my friends would want to steal my things" they all say. They don't understand that once it's on FaceBook practically public, despite your "privacy" settings.
Let's look at another example. I watched a kid yesterday cross a busy city street on his bicycle. He was only about 10M from the pedestrian crossing where he could wait for a safe time to cross. Nope, too much inconvenience. He just turned and rode out across busy traffic without even looking. He had half to road to notice that there was a bus speeding down the far lane. The kid didn't even think to slow down. In his selfish, arrogant rush to do what *he* wanted to do , *right now* he kept riding right out in front of the bus. He is fortunate the bus driver was paying attention to the road and had good reaction time.
Another example. How many door to door salesman scams are there? I regularly get knocks on the door. A lot are asking for donations to charity but they won't accept small cash and offer a receipt. Several want to look at bills and other identifiable information for "we can help you save money, just get a few of your bills". The charity ones often want a credit card number and a bunch of other details I don't hand out my details to these people because I can't verify they are who they say. A lot of people must, because they keep coming around and knocking. Those people just don't think about the what-if. They see "ooh charity, feel good, give give give" and sign their lives away.
Still with me? Let's look at contracts. How many people do you know who actually read contracts before signing them? I don't know too many. Some will flick through and read a few choice words then sign on the dotted line. It took me nearly a week to get through the last big contract I entered into (property purchase/mortgage). It was huge, and full of curly terms. Your personal (financial, housing, etc) security is dependent on some of these terms, but many people don't even read them before they agree. It turns out that ignorance of the document you signed doesn't prevent you being bound by it.
People don't care about security. They care about what they want, *right now*, with *minimal effort*. People are stupid, lazy, arrogant, selfish and trust certain "authority" figures implicitly. Part of that is conditioning, part is just human nature. But you won't change it.
Except that he was right (by accident)?
By using Java you were also importing a massive API surface onto production machines.
really, calloc() instead of malloc() would have stopped that bug cold
No, it wouldn't have. The bug exploited lack of checking allocated buffer boundaries, reading freed memory. Some hypothetical "cfree()" (clear, and then free() allocated memory), OTOH, would.
The moment you agree that forcing your CNS into euphoria by direct stimulation of pleasure centers is a good idea, you are a junkie. From then on, the only thing between you and becoming "proper" junkie is the balance of counterweight fear from consequences of using various shortcuts to pleasure. You become junkie if you realize that with enough pleasure you won't care (much) about consequences any more. It doesn't start with marijuana. It starts very early in life, with discovery of candy or with discovery of masturbation. Those are common and readily available to humans early short circuits of natural survival-motivating system. So, yes, marijuana won't drag you in and under on its own. Your realizations and your decisions will. However, it is a signal that you may be on your way down. On a larger scale than individual one, it is a signal that our lives suck and that we are unable to find happiness. No satisfaction!
No
Most people don't have a private, lockable office.
Most people don't even have an office that has a door.
They have a cubicle, and one without a lockable file drawer... (as though typical office furniture locks weren't jokes to anybody with two paper clips and the MIT Lock Picking Guide)
Some people don't even have a cubicle. Look at an "Open Architecture Office"... they have one two floors down. I'm not sure if I would pick that or pick McDonalds as better or worse.
That's the problem. You need to keep the security token (be it a yellow stickie-note or an RSA key) on your person, all the time.
And it still doesn't stop a good phish, or the next Heartbleed.
- Dr. Crash
Everyone has worked somewhere and the rule said wear your security badge at all times. Nobody ever looked closely at them and jokers would routinely wear badges with Jar-Jar Binks photos. So long as a piece of plastic was dangling from your neck however then "security" had somehow been delivered. Everyone (including the person who wrote the rule) knew it was bullshit but if the rule were abandoned then the ISO-compliance security box could not be ticked and the auditors would get mad. The same essentially goes for frequent password cycling containing at least one character from the Klingon alphabet and so on.
The first problem with promoting a genuine culture of [anything] is deciding what you really want to achieve.
"Don't belong. Never join. Think for yourself. Peace." V.Stone, Microsoft Corporation
At best, 'security' is an arms race. At worst, it is an illusion.
Smartphones don't automatically create a security culture. Ask the parents of kids who bought $5000 worth of in-game purchases with real money.
Except that he was right (by accident)?
By using Java you were also importing a massive API surface onto production machines.
No different than any other language. And massive libraries are better than creating massive amounts of new code to solve the same problems any day, in terms of both effort and security.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Passwords need only be as secure as the effective aggregate retry policy of whatever is accepting credential inputs.
Half the problem are all these 'hashes' stored in the clear on disk where administrators incorrectly assume users are responsible to select big enough password to make up for lack of effective protections. This of course is a complete failure having never worked continuing to grow more laughably amusing over time as computing power per unit cost increases.
Next we have security standards actively mandating complexity AND password change policy with no regard for the collateral damage: post-it notes, password wallets with access passwords that never change, complacency regarding frequent administrative change requests.
Next we have the breathtaking idiocy of completely untrusted email systems where sender identities are trivially spoofed by anyone .. a height of insanity eclipsed only by those same email systems allowing for convenient file attachments and one click execution of untrusted code in the users security context.
What do you expect? Do you really think ANY amount of vigilance in such an environment is worth anything? The basic security problems enumerated in TFA are much more representative of underlying infrastructure failing to provide any useful contextual information to the user... aint the users fault. While it absolutely is productive to teach awareness of technical and social engineering threats most of it stems from catastrophic failures of systems and their administrators.
Clearly we can't convince folks to stop at stop signs. We can't convince folks to "just say no" to drugs. We can't prevent un-safe sex. Why would we think for a minute that on-line security would be important to anyone else. Perhaps penury is an excellent teacher as are automobile wrecks, brain damage, and gonorrhea.
I have seen where security is paramount, security policies prevent me from implementing more secure solutions. For example not being allowed to use full disk encryption, not being allowed to use secure password managers [Last pass, keepass], software updates prevented by airgapping with no allowed means to download updates