Slashdot Mirror
What Non-Experts Can Learn From Experts About Real Online Security
An anonymous reader writes: Google researchers have asked 231 security experts and 294 web-users who aren't security experts about their security best practices, and the list of top ones for each group differs considerably. Experts recognize the benefits of updates, while non-experts are concerned about the potential risks of software updates. Non-experts are less likely to use password managers: some find them difficult to use, some don't realize how helpful they can be, and others are simply reluctant to (as they see it) "write" passwords down. Another interesting thing to point out is that non-experts love and use antivirus software.
I've been out of the field for 10 years, but what I've learned since then is that "experts" don't care if the clients can actually use the system. AV? Take it or leave it, but for software updates, well, the cost of breaking corporate software with an update (they just took out our scheduling program for 4 days) is very measurable and affects everyone in the company, while the cost of a security incident is not nearly as measurable and doesn't affect everyone.
If you want to win these fights, you have to present defensible numbers in units that the PHB's understand: Dollars or Euro. The cost of breaking the scheduling program is easy about 6 hours of salary for the entire fucking company due to lost productivity. The cost of cleaning up a security incident needs to be measured and presented. How much lost productivity did this cost, how much tech time did it cost, what's the cost of the stolen data, etc... IT, and security in particular, will always be a cost unless you show, in dollars, that it's worth keeping.
That's missing the point. Identifying 1 or 2 differences in approach between experts and non-experts shows 1 or 2 things you can tell the non-experts to do to greatly improve security overall.
In this case, the take away action would seem to be to make sure you keep all the software updated.
These comments are my personal opinions and do not necessarily reflect the opinions of the other voices in my head.
.
For example --- software updates:
- do the experts use "custom" installs to avoid the installation of unwanted browser toolbars and adware, and that is why they are more likely to install updates?
- do the non-experts use the "default" installs, which pull in toolbars and crap adware, leading the non-experts to avoid updates?
I think the article is a good one, but there should be some more depth to it.
Any system that depends on users doing the right thing has ALREADY failed.
1) If it's difficult or complicated, users won't do it.
2) If your security organization's working strategy is, "break stuff, walk away and tell the user it's their problem," your strategies will be subverted from within so users can get actual productive work done, for which *they* get *their* bonuses.
In short, users need productivity to get their extra money. Security people need a lower number of intrusions to get theirs. These two goals are always at odds, mostly because current security strategies burden nontechnical, uninterested users.
The solution, which security people hate to hear, is to get better at installing and maintaining multiple levels of firewall, application sandboxing and/or streaming applications for all office applications, improving intrusion detection and dynamic virus removal in real time. NOT training users not to download suspicious executables or engage in fantastic feats of memory regarding passwords.
Please do not read this sig. Thank you.
That's missing the point. Identifying 1 or 2 differences in approach between experts and non-experts shows 1 or 2 things you can tell the non-experts to do to greatly improve security overall.
In this case, the take away action would seem to be to make sure you keep all the software updated.
The other take away is to figure out why the non-experts don't use the expert approach already. Are the password managers poorly advertised or otherwise unwieldy? For instance I know a lot of sites have login windows that the Firefox password manager doesn't recognize.
I stole this Sig
As much as people want to believe, in the age of unattended Windows updates and package managers, that updating is painless and causes no problems, there are many famous examples of times people installed updates that proceeded to destroy or seriously disrupt operation of production environments.
Here's what you can learn from this security expert. If you click on those attachments we told you not to click on it will take me 2 days with your laptop to "analyze the threat" if you get infected. If it's not the first time then we were unable to recover your files and it will take 3 days.
Although the password keeper point struck me as interesting, I take issue with the "experts" stance on updates.
People don't shun (non-OS) updates because they "might" install malware - They shun them because they do install unwanted tag-alongs (if not outright malware). Flash tries to install its partner-of-the-week every time you update it. Chrome just added push notifications. Java... Let's not even go there. And let's not overlook the fact that most users can't tell a legit update prompt from a drive-by installer.
Security experts have a bias here because they:
1) can usually tell the legit updates from the bogus ones (and know enough to get the bloat-free version of the update); and
2) can themselves remove or repair the occasional spyware that slips through, without needing to pay BestBuy $150 for five minutes' work on a machine only worth $300 in the first place.
Experts recognize the benefits of updates, while non-experts are concerned about the potential risks of software updates.
"Experts" are much better equipped to work around an update that makes a mess, and "Experts" are better able to pick up UI changes than "Non-Experts". Security is a good reason to update/upgrade, but every non-expert I know whose phone got the Lollipop update described it with obscenities, and would have been perfectly fine with a 'security patch only' update. The problem is that there's no consistent way for non-experts to know whether this will be a "transparent security fix" kind of update, or a "this will f'k up my s't and rearrange everything for no good reason" update. Even updates that don't make a mess of the UI cause other problems. Windows XP, circa 2001, needed 256MB of RAM to run acceptably. by the end of its run, the UI hadn't changed, but somehow, it required at least 1GB of RAM when it was (supposedly) the same OS. Admittedly an obscure example (but the only one I can think of at the moment), an Intel wireless NIC driver update I did once removed the ability to specify my own MAC address. A router firmware update I did once notably decreased the throughput of the network traffic it was processing. We all remember the Slashdot outcry when Sony removed OtherOS from the PS3. "Update" has a long history of having mixed impact on end users, so any "Expert" who both unilaterally applies updates and doesn't understand why "Non-Experts" don't share this practice may well have a thorough understanding of computers, but a piss poor understanding of humans.
Non-experts are less likely to use password managers: some find them difficult to use, some don't realize how helpful they can be, and others are simply reluctant to (as they see it) "write" passwords down.
Many password managers use Teh Cloud (tm). There's a damn good reason to be reluctant to store all of your passwords on somebody else's hard disk. Local password managers solve that problem, and now we're back to the classical problem of 'backing data up' and 'single point of failure'. Even at that, who do you trust? Heartbleed was a particular mess from a PR perspective because Open Source ("More secure than Microsoft!!11") had a spectacular failure that was used by "Experts" - people who were supposed to be putting security at the forefront. If such a widely circulated OSS project could have such a problematic bug, what possible hope does a regular user have with respect to betting on the right horse? Even if they do, there's nothing that they can do for the far end doing stupid things - all the password managers in the world won't change a blessed thing if the password was for Sony or Ashley Madison. It's all risky at some level, and ultimately, password managers overcome a shortcoming of computers themselves. Non-Experts have things to do. Writing passwords down in a nondescript password book, kept in a room separate from the computer itself, with each of the passwords changed annually, is probably the simplest and cheapest way a non-expert can put themselves comfortably in the third standard deviation.
Another Iteresting thing to point out is that non-experts love and use antivirus software.
As well they should. Antivirus software is a layer of security, and one that non-experts tend to use more consistently than any other form of threat mitigation. It's not a cure-all (more likely the problem that exists with non-experts using AV software; they throw caution to the wind under the assumption that the antivirus will protect them), but it will be very difficult to convince me that properly updated AV software does more overall harm than good.
Don't depend upon a user's memory. Tell them that it is GOOD to write down their passwords AS LONG AS THEY STORE THEM WITH THEIR CREDIT CARDS.
The REAL problem with security is that the VENDORS do not place a priority on it.
It isn't that we hate to hear that.
We're already DOING that. But it doesn't help much when a CxO installs some infected software on his laptop (which he can because he is so important that he NEEDS admin-level access) and then brings it into the most firewalled section of the network.
Right now I'm focusing on knowing when a site is compromised rather than trying to get EVERYONE to follow the best practices EVERY TIME on EVERY SYSTEM.
A) Anyone using the term 'best practice' has already lost half their audience. Being the 'best' is a hard claim to make.
B) Real world usability trumps ivory tower douchebaggery. Stop making people have eleventy digit passwords with special characters that they rotate weekly. You aren't helping.
C) The world is mostly people who just want to get shit done - as an IT guy, your stuff is an appliance. People don't care about nuance.
"Security Experts" are mostly fraudsters working for the anti-virus industry. You don't get security from anti-virus software. You compromise it by running additional proprietary applications which can't be inspected. This is not to say the sources being available make it secure, but it is a critical found for which any failure to do so is the equivalent of building a house on sand. It might work, until the earthquake hits. The lack of security is the result of holes (bugs) and user-related design issues. If your looking at code and reporting bugs your a security expert. Anything short of that and your a fraud.
Discuss.
Considering systemd is developed by non-experts...
Truth is like the sun. You can shut it out for a time, but it ain't goin' away. - Elvis Presley (source: imdb.com)
The solution, which security people hate to hear, is to get better at installing and maintaining multiple levels of firewall
Firewalls are not a solution. They're a small piece of a solution, but that's all. Firewalls segment networks, which is good because it reduces the scope of the attacks that have to be considered, but any good security design should assume that attackers will be able to get onto any network that has users.
application sandboxing and/or streaming applications for all office applications
Even better, move all applications to the web, so everything runs on central servers which are much easier to manage and secure than a fleet of personal computers. Give users Chromebooks or another thin client configuration and don't let them install software.
improving intrusion detection
IDS is good, but primarily for reducing the duration of an intrusion and trying to estimate the scope of the damage. IDS almost never reacts quickly enough to stop an intrusion.
dynamic virus removal in real time
Preventing the installation of viruses is far better than removing them.
NOT training users not to download suspicious executables
If the users can't install and run what they download, then it doesn't matter what they download.
or engage in fantastic feats of memory regarding passwords.
Totally. Most enterprise password policies are ridiculous. High-entropy passwords are neither necessary nor sufficient for securing systems. Multi-factor auth is more secure, and makes it possible to set reasonable password policies. Say, eight characters, alphanumeric, maybe require one non-alphanumeric symbol. Annual rotation is good, unless there is some reason to believe the password may have been compromised. Users can deal with that.
Three-factor authentication is great, and not actually all that difficult. One factor is the password. Another is some sort of one-time password generator or, even better, a USB dongle that requires user activation (OTPs can be phished -- a user you can social engineer into giving you their password will also give you an OTP, in fact it's even easier to phish an OTP than a normal password). The third is a client-side digital certificate installed on the machine after verification that it complies with corporate security policies. Use Puppet or similar to not only keep the machine up to date, but identify if it gets out of date and if it does, revoke the certificate.
Another crucial key to successful security is single sign-on. I can remember one moderately good password easily. Require me to know several and I'll have to write them down or reuse the same one everywhere. If I reuse the password we have none of the security benefits of multiple passwords and all of the password management headaches. So users should have one, strongly-secured, account that crosses all company systems. This is another benefit of web apps over local applications: You can secure all of your web apps behind a single set of authentication credentials by deploying them behind a reverse proxy server. That server handles authentication and provides a signed, time-limited user ID token to the systems it fronts.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
This is the key problem. Only experts are able to assess the risk of a password manager and use it appropriately. How can a normal user know whether a password manager is trust worthy? Do any of the big web sites recommend a trust worthy password manager?
The only viable solution for a normal user is SSO. Login in Facebook, Google, Microsoft Live, that is the way forward. 3 accounts are easy to remember, and it would also be faster to detect suspicious activity. But does any bank offer SSO?
No, of course not. In fact my bank requires me to remember 4 PINs, 3 passwords and one user ID. How idiotic is that?
You want to trust your financial log-ins to Facebook, Google or Microsoft? Hope you keep most of your money stuffed in your mattress, it would certainly be safer there.
Sure they do. They tell non-experts to install updates. When's the last time you heard about someone's grandmother testing a patch?
Your ad here. Ask me how!