Re: Are users right in rejecting security advice?

[Russell Fulton <r.fulton () AUCKLAND AC NZ>]

sent via Iron port test set up.  Please report any oddities :)



On 17/03/2010, at 4:03 AM, Allison Dolan wrote:

> A rather provocative column re: the cost/benefit of many pieces of security advice.  Some points worth considering 
> when planning security awareness training...
>
> http://blogs.techrepublic.com.com/security/?p=3275&tag=nl.e036

Good article but like many such things it is a bit over the top and there is a danger that real message will get lost 
in picking holes in the details.

There has recently been a discussion about password ageing on one of the Ren-ISAC lists.  The general consensus seems 
to be that there is value in getting users to change their passwords at, say, yearly intervals but as you increase the 
frequency the cost to the user escalates and eventually they will start writing the passwords down and sticking them to 
the screen and even before that happens the cost in terms of frustration is significant and may well outweigh any real 
security benefits.

I have been arguing with auditors for years over stuff like this where their check lists have items that are at best of 
dubious value and at worst downright dangerous.  

Part of my daily mantra is that "Security must work for the end user".  If it does not then they will find ways around 
it and may well create far worse problems that the ones we were trying to fix.  What I mean by 'work' is that the extra 
effort involved must be seen as matched to the threat as perceived by the user.  If it isn't you have two options, you 
can adopt different strategy to mitigate the threat that has less impact on the user or you can educate the user to 
change their perception of the threat.  Both are perfectly valid approaches.  

An example of this is the use of two factor authentication for sensitive application (like approval of financial 
transactions).  Standard audit requirements seem to be change passwords every 30 days which has been shown to be hard 
on users and is ineffective at really mitigating the risks.  Requiring users to use some form of two factor 
authentication which may involve no more than pressing a button on a USB device is both much easier for the user and 
more secure.
So why don't we all do this?  Because 2fa is an identifiable and quantifiable cost that some part of the organisation 
has to pay whereas getting users to change their passwords does not come out of anyones budget.

Another example of this is that one of the things that password ageing is supposed to mitigate is that it disables 
unused accounts.  Again this can be handled at some explicit expense to the organisation by making sure that unused 
accounts are disabled and that user's credentials are properly revoked when they leave.  Forcing *all* users to change 
passwords frequently because you can't do basic house keeping is IMHO a cop out.

Related to this is the issue of "Best Practice".

I now cringe when I hear the phrase "Best Practice" when applied to security -- I have come to believe that this means 
that the speaker can't be bothered (or lacks the expertise) to do any analysis and is simply trotting out some thing 
'safe'.  I would feel much more comfortable if they described it as "acceptable" or "standard" practice.  That then 
suggests that it may be worth looking further.  But if you are implementing "best practice" then this implicitly 
precludes doing anything else.   In higher ed we are faced with a somewhat different threat scenario to that of most 
businesses and we also operate under constraints of scale, openness and budget that most business (or auditors) have no 
concept of.  What is sane and sensible in our environment may be either hideously lax or over kill for a business and 
vice versa.

Russell