The love/hate relationship with security

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.itproportal.com/2015/09/02/the-lovehate-relationship-with-security/

For real estate professionals, the common mantra is location, location,
location. For IT professionals, it’s security, security, security. Computer
users, ranging from barely-computer-literate pensioners to IT
professionals, all want more of it.

Businesses and individuals spend millions of dollars every year on security
products and services such as firewalls, anti-virus and anti-malware
software. We want it, but we also hate it.

In the corporate environment, users look for ways to circumvent the
company’s security policies. Home users turn off default security features
immediately after getting a new device or installing a new OS.  Even
security professionals hate security. So why do we all harbor so much
dislike for something we need so much?

This love/hate relationship stems from the very nature of security. It
exists on a continuum, with absolute security at one end and absolute
convenience at the other. When you have more of one, you have less of the
other. Lazy creatures that human beings tend to be, we usually prefer
convenience to security – that is, until we become the victims of a
security breach. Then suddenly, security is our new best friend – again.

Nobody likes jumping through hoops, and that’s frequently what we have to
do for the sake of security. Who has never forgotten a password or PIN, or
left a smart card at home? All too frequently, we find ourselves locked out
of our own accounts or unable to access the files that we need and are
authorised to use. We find ourselves blocked from a site we need to visit
or we don’t get an email message that we should have received because our
security systems incorrectly identify them as dangerous (“false positives”).

Let’s face it: security is difficult to get right. Misconfigured firewalls,
too-aggressive spam filters or anti-virus programmes that conflict with our
legitimate software programmes can make security seem more like a constant
source of frustration rather than a safety net.

Security makes for more work, both for administrators and for end-users.
The latter have to keep up with dozens of different passwords for different
purposes, then just about the time you have them all memorised, the
security system tells you it’s time to change your password, again. And it
has to be at least 12 characters. And it must be a mix of upper and lower
case alpha and numeric characters with at least one symbol. By the time you
finally figure out a new password that the system will accept, it’s one
that you’ll never remember, so what do you do? Write it down – thus
negating the whole point of a secure password.

The problem with security is that many see it as ineffective. For instance,
some websites require that you answer “security questions” but the question
choices are all things that someone could easily find out with a little
research, such as your mother’s maiden name or where you went to elementary
school. These will keep out the casual random hacker but not anyone who is
specifically targeting you. As with the mandate to remove your shoes at the
airport, people hate security measures that inconvenience them without
providing any real protection.

But a little convenience isn’t the only thing that ends up being sacrificed
on the altar of the security gods. Security is also the antithesis of
performance. It makes sense that security mechanisms are bound to slow down
your systems. Checking ACLs to make sure you have the correct permissions,
encrypting and decrypting data, running malware scans on programs and files
before opening them – all of these actions take up time and resources.

Security is also a demanding taskmaster. Because hackers and attackers are
industrious, always coming up with new and better ways to infiltrate
networks and computers, always ferreting out previously unknown
vulnerabilities in our operating systems, applications and protocols, we
can’t just install a good security system and set it and forget it, as we
might do with a home alarm system. Instead, we have to be constantly
installing new virus and malware definitions and new patches to fix the
flaws in code that the bad guys can exploit.

Finally, security is expensive. Chances are most users will buy at least a
few security products – anti-virus programs, perhaps a personal firewall.
Business organisations spend millions on security in the form of edge
devices, perimeter networks (DMZs) to isolate Internet-facing computers
from internal systems, security monitoring systems, smart card readers or
biometric scanners, and on-staff IT security personnel and/or security
consultants, not to mention security awareness training for employees. It
adds up fast.

But today we live in an era where security isn’t an option; it’s a must. As
much as we hate security, we love what it does for us. Without it, we would
experience frequent system crashes from malware, viruses and various
attacks. We would often be unable to access the Internet at all, because of
denial of service attacks. We would constantly be at risk of having our
credit card and bank account information, social security numbers and other
identifiers stolen and used for identity theft or fraud. We wouldn’t be
able to keep our sensitive data such as tax returns, brokerage statements,
medical records, or personal journals/diaries on our computers without
having them exposed to the world.

As high profile security breaches become more frequent, we can expect more
and more security measures to be implemented by organisations in
self-defense. What hardware and software vendors need to do is focus on
ways to increase security that will be easy to deploy for admins and
seamlessly integrated for users. To an extent, this is happening. More
software development is following the “secure by design” philosophy and
building in security from the ground up. That means fewer third party
add-ons have to be installed and configured and maintained.

User education is another key. No matter how well your systems enforce
password complexity requirements, they’re meaningless if users reveal those
complex passwords to others either by carelessly writing them down or when
tricked by social engineers. Making users fully understand the reasons
behind the various security measures can go a long way toward getting them
to take security more seriously.

Future technologies promise to make security much more palatable to admins
and users, via advanced biometric authentication techniques, faster
processing to ameliorate the performance hits, and “polymorphic” security
that can change and adapt automatically in much the same way polymorphic
malware mutates to avoid detection.

We’re a long way from that utopian secure future, though. In the meantime,
it’s time for us to sit down and come to terms with security. Security
might not ever be your best friend, and you don’t have to like it. What you
have to do is learn to live with it, because it’s always going to be a part
of computing.

We need to stop looking for ways around it, stop complaining about it,
acknowledge its importance, and get on with business.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!