Slashdot Mirror


What Non-Experts Can Learn From Experts About Real Online Security

An anonymous reader writes: Google researchers have asked 231 security experts and 294 web-users who aren't security experts about their security best practices, and the list of top ones for each group differs considerably. Experts recognize the benefits of updates, while non-experts are concerned about the potential risks of software updates. Non-experts are less likely to use password managers: some find them difficult to use, some don't realize how helpful they can be, and others are simply reluctant to (as they see it) "write" passwords down. Another interesting thing to point out is that non-experts love and use antivirus software.

4 of 112 comments (clear)

  1. How, not what... by QuietLagoon · · Score: 4, Insightful
    I would have also liked to have seen the differences in how each group does what they do.

    .
    For example --- software updates:

    - do the experts use "custom" installs to avoid the installation of unwanted browser toolbars and adware, and that is why they are more likely to install updates?

    - do the non-experts use the "default" installs, which pull in toolbars and crap adware, leading the non-experts to avoid updates?

    I think the article is a good one, but there should be some more depth to it.

  2. What Security Experts Can Learn From Non Experts by gestalt_n_pepper · · Score: 4, Insightful

    Any system that depends on users doing the right thing has ALREADY failed.

    1) If it's difficult or complicated, users won't do it.

    2) If your security organization's working strategy is, "break stuff, walk away and tell the user it's their problem," your strategies will be subverted from within so users can get actual productive work done, for which *they* get *their* bonuses.

    In short, users need productivity to get their extra money. Security people need a lower number of intrusions to get theirs. These two goals are always at odds, mostly because current security strategies burden nontechnical, uninterested users.

    The solution, which security people hate to hear, is to get better at installing and maintaining multiple levels of firewall, application sandboxing and/or streaming applications for all office applications, improving intrusion detection and dynamic virus removal in real time. NOT training users not to download suspicious executables or engage in fantastic feats of memory regarding passwords.

    --
    Please do not read this sig. Thank you.
  3. Key detail: Security experts have IT skills by pla · · Score: 4, Insightful

    Although the password keeper point struck me as interesting, I take issue with the "experts" stance on updates.

    People don't shun (non-OS) updates because they "might" install malware - They shun them because they do install unwanted tag-alongs (if not outright malware). Flash tries to install its partner-of-the-week every time you update it. Chrome just added push notifications. Java... Let's not even go there. And let's not overlook the fact that most users can't tell a legit update prompt from a drive-by installer.

    Security experts have a bias here because they:
    1) can usually tell the legit updates from the bogus ones (and know enough to get the bloat-free version of the update); and
    2) can themselves remove or repair the occasional spyware that slips through, without needing to pay BestBuy $150 for five minutes' work on a machine only worth $300 in the first place.

  4. Re:What Security Experts Can Learn From Non Expert by swillden · · Score: 4, Insightful

    The solution, which security people hate to hear, is to get better at installing and maintaining multiple levels of firewall

    Firewalls are not a solution. They're a small piece of a solution, but that's all. Firewalls segment networks, which is good because it reduces the scope of the attacks that have to be considered, but any good security design should assume that attackers will be able to get onto any network that has users.

    application sandboxing and/or streaming applications for all office applications

    Even better, move all applications to the web, so everything runs on central servers which are much easier to manage and secure than a fleet of personal computers. Give users Chromebooks or another thin client configuration and don't let them install software.

    improving intrusion detection

    IDS is good, but primarily for reducing the duration of an intrusion and trying to estimate the scope of the damage. IDS almost never reacts quickly enough to stop an intrusion.

    dynamic virus removal in real time

    Preventing the installation of viruses is far better than removing them.

    NOT training users not to download suspicious executables

    If the users can't install and run what they download, then it doesn't matter what they download.

    or engage in fantastic feats of memory regarding passwords.

    Totally. Most enterprise password policies are ridiculous. High-entropy passwords are neither necessary nor sufficient for securing systems. Multi-factor auth is more secure, and makes it possible to set reasonable password policies. Say, eight characters, alphanumeric, maybe require one non-alphanumeric symbol. Annual rotation is good, unless there is some reason to believe the password may have been compromised. Users can deal with that.

    Three-factor authentication is great, and not actually all that difficult. One factor is the password. Another is some sort of one-time password generator or, even better, a USB dongle that requires user activation (OTPs can be phished -- a user you can social engineer into giving you their password will also give you an OTP, in fact it's even easier to phish an OTP than a normal password). The third is a client-side digital certificate installed on the machine after verification that it complies with corporate security policies. Use Puppet or similar to not only keep the machine up to date, but identify if it gets out of date and if it does, revoke the certificate.

    Another crucial key to successful security is single sign-on. I can remember one moderately good password easily. Require me to know several and I'll have to write them down or reuse the same one everywhere. If I reuse the password we have none of the security benefits of multiple passwords and all of the password management headaches. So users should have one, strongly-secured, account that crosses all company systems. This is another benefit of web apps over local applications: You can secure all of your web apps behind a single set of authentication credentials by deploying them behind a reverse proxy server. That server handles authentication and provides a signed, time-limited user ID token to the systems it fronts.

    --
    Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.