Re: Are users right in rejecting security advice?

["Mclaughlin, Kevin (mclaugkl)" <mclaugkl () UCMAIL UC EDU>]

I'll "pick" at just one item in the write up :-)

This made me smile just a bit:

"I now cringe when I hear the phrase "Best Practice" when applied to security -- I have come to believe that this means 
that the speaker can't be bothered (or lacks the expertise) to do any analysis and is simply trotting out something 
'safe'."  

Really?  They are considered best practices, common knowledge, the way to do things, (pick your semantic here), etc.  
because a lot of folks (smarter than I am, I bet) spent the time to analyze, research and come up with a best practice 
and that's how NIST, ISO, COBIT, etc. get produced.  Since most of the Information Security/Assurance best practices 
also allow for flexibility in design and deployment I have to ask why in the heck would a security professional not 
want to make use of them when making business decisions? (that is a rhetorical question but feel free to answer it 
anyways).  Of course if I didn't have to espouse or make reference to best practices I could create the world according 
to Kevin and that would be a most interesting place indeed heh heh heh (said evilly while rubbing hands together  :-)


-Kevin

Kevin L. McLaughlin,  CISM, CISSP, GIAC-GSLC, PMP, ITIL Master Certified
Assistant Vice President, Information Security & Special Projects
University of Cincinnati
513-556-9177
 
 
 
 
CONFIDENTIALITY NOTICE: This e-mail message and its content is confidential, intended solely for the addressee, and may 
be legally privileged. Access to this message and its content by any individual or entity other than those identified 
in this message is unauthorized. If you are not the intended recipient, any disclosure, copying or distribution of this 
e-mail may be unlawful. Any action taken or omitted due to the content of this message is prohibited and may be 
unlawful.

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Russell 
Fulton
Sent: Wednesday, March 17, 2010 4:18 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Are users right in rejecting security advice?

sent via Iron port test set up.  Please report any oddities :)



On 17/03/2010, at 4:03 AM, Allison Dolan wrote:

> A rather provocative column re: the cost/benefit of many pieces of security advice.  Some points worth considering 
> when planning security awareness training...
>
> http://blogs.techrepublic.com.com/security/?p=3275&tag=nl.e036

Good article but like many such things it is a bit over the top and there is a danger that real message will get lost 
in picking holes in the details.

There has recently been a discussion about password ageing on one of the Ren-ISAC lists.  The general consensus seems 
to be that there is value in getting users to change their passwords at, say, yearly intervals but as you increase the 
frequency the cost to the user escalates and eventually they will start writing the passwords down and sticking them to 
the screen and even before that happens the cost in terms of frustration is significant and may well outweigh any real 
security benefits.

I have been arguing with auditors for years over stuff like this where their check lists have items that are at best of 
dubious value and at worst downright dangerous.  

Part of my daily mantra is that "Security must work for the end user".  If it does not then they will find ways around 
it and may well create far worse problems that the ones we were trying to fix.  What I mean by 'work' is that the extra 
effort involved must be seen as matched to the threat as perceived by the user.  If it isn't you have two options, you 
can adopt different strategy to mitigate the threat that has less impact on the user or you can educate the user to 
change their perception of the threat.  Both are perfectly valid approaches.  

An example of this is the use of two factor authentication for sensitive application (like approval of financial 
transactions).  Standard audit requirements seem to be change passwords every 30 days which has been shown to be hard 
on users and is ineffective at really mitigating the risks.  Requiring users to use some form of two factor 
authentication which may involve no more than pressing a button on a USB device is both much easier for the user and 
more secure.
So why don't we all do this?  Because 2fa is an identifiable and quantifiable cost that some part of the organisation 
has to pay whereas getting users to change their passwords does not come out of anyones budget.

Another example of this is that one of the things that password ageing is supposed to mitigate is that it disables 
unused accounts.  Again this can be handled at some explicit expense to the organisation by making sure that unused 
accounts are disabled and that user's credentials are properly revoked when they leave.  Forcing *all* users to change 
passwords frequently because you can't do basic house keeping is IMHO a cop out.

Related to this is the issue of "Best Practice".

I now cringe when I hear the phrase "Best Practice" when applied to security -- I have come to believe that this means 
that the speaker can't be bothered (or lacks the expertise) to do any analysis and is simply trotting out some thing 
'safe'.  I would feel much more comfortable if they described it as "acceptable" or "standard" practice.  That then 
suggests that it may be worth looking further.  But if you are implementing "best practice" then this implicitly 
precludes doing anything else.   In higher ed we are faced with a somewhat different threat scenario to that of most 
businesses and we also operate under constraints of scale, openness and budget that most business (or auditors) have no 
concept of.  What is sane and sensible in our environment may be either hideously lax or over kill for a business and 
vice versa.

Russell