Educause Security Discussion mailing list archives
Re: Are users right in rejecting security advice?
From: Russell Fulton <r.fulton () AUCKLAND AC NZ>
Date: Wed, 17 Mar 2010 21:18:08 +1300
sent via Iron port test set up. Please report any oddities :) On 17/03/2010, at 4:03 AM, Allison Dolan wrote:
A rather provocative column re: the cost/benefit of many pieces of security advice. Some points worth considering when planning security awareness training... http://blogs.techrepublic.com.com/security/?p=3275&tag=nl.e036
Good article but like many such things it is a bit over the top and there is a danger that real message will get lost in picking holes in the details. There has recently been a discussion about password ageing on one of the Ren-ISAC lists. The general consensus seems to be that there is value in getting users to change their passwords at, say, yearly intervals but as you increase the frequency the cost to the user escalates and eventually they will start writing the passwords down and sticking them to the screen and even before that happens the cost in terms of frustration is significant and may well outweigh any real security benefits. I have been arguing with auditors for years over stuff like this where their check lists have items that are at best of dubious value and at worst downright dangerous. Part of my daily mantra is that "Security must work for the end user". If it does not then they will find ways around it and may well create far worse problems that the ones we were trying to fix. What I mean by 'work' is that the extra effort involved must be seen as matched to the threat as perceived by the user. If it isn't you have two options, you can adopt different strategy to mitigate the threat that has less impact on the user or you can educate the user to change their perception of the threat. Both are perfectly valid approaches. An example of this is the use of two factor authentication for sensitive application (like approval of financial transactions). Standard audit requirements seem to be change passwords every 30 days which has been shown to be hard on users and is ineffective at really mitigating the risks. Requiring users to use some form of two factor authentication which may involve no more than pressing a button on a USB device is both much easier for the user and more secure. So why don't we all do this? Because 2fa is an identifiable and quantifiable cost that some part of the organisation has to pay whereas getting users to change their passwords does not come out of anyones budget. Another example of this is that one of the things that password ageing is supposed to mitigate is that it disables unused accounts. Again this can be handled at some explicit expense to the organisation by making sure that unused accounts are disabled and that user's credentials are properly revoked when they leave. Forcing *all* users to change passwords frequently because you can't do basic house keeping is IMHO a cop out. Related to this is the issue of "Best Practice". I now cringe when I hear the phrase "Best Practice" when applied to security -- I have come to believe that this means that the speaker can't be bothered (or lacks the expertise) to do any analysis and is simply trotting out some thing 'safe'. I would feel much more comfortable if they described it as "acceptable" or "standard" practice. That then suggests that it may be worth looking further. But if you are implementing "best practice" then this implicitly precludes doing anything else. In higher ed we are faced with a somewhat different threat scenario to that of most businesses and we also operate under constraints of scale, openness and budget that most business (or auditors) have no concept of. What is sane and sensible in our environment may be either hideously lax or over kill for a business and vice versa. Russell
Current thread:
- Are users right in rejecting security advice? Allison Dolan (Mar 16)
- <Possible follow-ups>
- Re: Are users right in rejecting security advice? Mclaughlin, Kevin (mclaugkl) (Mar 16)
- Re: Are users right in rejecting security advice? Stanclift, Michael (Mar 16)
- Re: Are users right in rejecting security advice? Allison Dolan (Mar 16)
- Re: Are users right in rejecting security advice? Russell Fulton (Mar 17)
- Re: Are users right in rejecting security advice? Valdis Kletnieks (Mar 17)
- Re: Are users right in rejecting security advice? Allison Dolan (Mar 17)
- Re: Are users right in rejecting security advice? Mclaughlin, Kevin (mclaugkl) (Mar 17)
- Re: Are users right in rejecting security advice? Valdis Kletnieks (Mar 17)
- Re: Are users right in rejecting security advice? Vik Solem (Mar 17)
- Re: Are users right in rejecting security advice? Mclaughlin, Kevin (mclaugkl) (Mar 17)
- Re: Are users right in rejecting security advice? Joe St Sauver (Mar 17)
- Re: Are users right in rejecting security advice? Perloff, Jim (Mar 17)
- Re: Are users right in rejecting security advice? Brad Judy (Mar 17)
- Re: Are users right in rejecting security advice? David Escalante (Mar 17)
(Thread continues...)