Educause Security Discussion mailing list archives
Re: Are users right in rejecting security advice?
From: "Mclaughlin, Kevin (mclaugkl)" <mclaugkl () UCMAIL UC EDU>
Date: Wed, 17 Mar 2010 08:54:47 -0400
I'll "pick" at just one item in the write up :-) This made me smile just a bit: "I now cringe when I hear the phrase "Best Practice" when applied to security -- I have come to believe that this means that the speaker can't be bothered (or lacks the expertise) to do any analysis and is simply trotting out something 'safe'." Really? They are considered best practices, common knowledge, the way to do things, (pick your semantic here), etc. because a lot of folks (smarter than I am, I bet) spent the time to analyze, research and come up with a best practice and that's how NIST, ISO, COBIT, etc. get produced. Since most of the Information Security/Assurance best practices also allow for flexibility in design and deployment I have to ask why in the heck would a security professional not want to make use of them when making business decisions? (that is a rhetorical question but feel free to answer it anyways). Of course if I didn't have to espouse or make reference to best practices I could create the world according to Kevin and that would be a most interesting place indeed heh heh heh (said evilly while rubbing hands together :-) -Kevin Kevin L. McLaughlin, CISM, CISSP, GIAC-GSLC, PMP, ITIL Master Certified Assistant Vice President, Information Security & Special Projects University of Cincinnati 513-556-9177 CONFIDENTIALITY NOTICE: This e-mail message and its content is confidential, intended solely for the addressee, and may be legally privileged. Access to this message and its content by any individual or entity other than those identified in this message is unauthorized. If you are not the intended recipient, any disclosure, copying or distribution of this e-mail may be unlawful. Any action taken or omitted due to the content of this message is prohibited and may be unlawful. -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Russell Fulton Sent: Wednesday, March 17, 2010 4:18 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Are users right in rejecting security advice? sent via Iron port test set up. Please report any oddities :) On 17/03/2010, at 4:03 AM, Allison Dolan wrote:
A rather provocative column re: the cost/benefit of many pieces of security advice. Some points worth considering when planning security awareness training... http://blogs.techrepublic.com.com/security/?p=3275&tag=nl.e036
Good article but like many such things it is a bit over the top and there is a danger that real message will get lost in picking holes in the details. There has recently been a discussion about password ageing on one of the Ren-ISAC lists. The general consensus seems to be that there is value in getting users to change their passwords at, say, yearly intervals but as you increase the frequency the cost to the user escalates and eventually they will start writing the passwords down and sticking them to the screen and even before that happens the cost in terms of frustration is significant and may well outweigh any real security benefits. I have been arguing with auditors for years over stuff like this where their check lists have items that are at best of dubious value and at worst downright dangerous. Part of my daily mantra is that "Security must work for the end user". If it does not then they will find ways around it and may well create far worse problems that the ones we were trying to fix. What I mean by 'work' is that the extra effort involved must be seen as matched to the threat as perceived by the user. If it isn't you have two options, you can adopt different strategy to mitigate the threat that has less impact on the user or you can educate the user to change their perception of the threat. Both are perfectly valid approaches. An example of this is the use of two factor authentication for sensitive application (like approval of financial transactions). Standard audit requirements seem to be change passwords every 30 days which has been shown to be hard on users and is ineffective at really mitigating the risks. Requiring users to use some form of two factor authentication which may involve no more than pressing a button on a USB device is both much easier for the user and more secure. So why don't we all do this? Because 2fa is an identifiable and quantifiable cost that some part of the organisation has to pay whereas getting users to change their passwords does not come out of anyones budget. Another example of this is that one of the things that password ageing is supposed to mitigate is that it disables unused accounts. Again this can be handled at some explicit expense to the organisation by making sure that unused accounts are disabled and that user's credentials are properly revoked when they leave. Forcing *all* users to change passwords frequently because you can't do basic house keeping is IMHO a cop out. Related to this is the issue of "Best Practice". I now cringe when I hear the phrase "Best Practice" when applied to security -- I have come to believe that this means that the speaker can't be bothered (or lacks the expertise) to do any analysis and is simply trotting out some thing 'safe'. I would feel much more comfortable if they described it as "acceptable" or "standard" practice. That then suggests that it may be worth looking further. But if you are implementing "best practice" then this implicitly precludes doing anything else. In higher ed we are faced with a somewhat different threat scenario to that of most businesses and we also operate under constraints of scale, openness and budget that most business (or auditors) have no concept of. What is sane and sensible in our environment may be either hideously lax or over kill for a business and vice versa. Russell
Current thread:
- Are users right in rejecting security advice? Allison Dolan (Mar 16)
- <Possible follow-ups>
- Re: Are users right in rejecting security advice? Mclaughlin, Kevin (mclaugkl) (Mar 16)
- Re: Are users right in rejecting security advice? Stanclift, Michael (Mar 16)
- Re: Are users right in rejecting security advice? Allison Dolan (Mar 16)
- Re: Are users right in rejecting security advice? Russell Fulton (Mar 17)
- Re: Are users right in rejecting security advice? Valdis Kletnieks (Mar 17)
- Re: Are users right in rejecting security advice? Allison Dolan (Mar 17)
- Re: Are users right in rejecting security advice? Mclaughlin, Kevin (mclaugkl) (Mar 17)
- Re: Are users right in rejecting security advice? Valdis Kletnieks (Mar 17)
- Re: Are users right in rejecting security advice? Vik Solem (Mar 17)
- Re: Are users right in rejecting security advice? Mclaughlin, Kevin (mclaugkl) (Mar 17)
- Re: Are users right in rejecting security advice? Joe St Sauver (Mar 17)
- Re: Are users right in rejecting security advice? Perloff, Jim (Mar 17)
- Re: Are users right in rejecting security advice? Brad Judy (Mar 17)
- Re: Are users right in rejecting security advice? David Escalante (Mar 17)
- Re: Are users right in rejecting security advice? Mclaughlin, Kevin (mclaugkl) (Mar 17)
- Re: Are users right in rejecting security advice? Michael Van Norman (Mar 17)
- Re: Are users right in rejecting security advice? Basgen, Brian (Mar 17)
(Thread continues...)