Security Without Idiocy, Part 2
Second in a series. The first part is here.
I'm not a security consultant. Far from it. Much of what I know about security comes from books and magazine articles. When I want to know more about security, I read Bruce Schneier's writings, such as this blog article.
However, when we think that security is suddenly different once we are talking about computers and networks, we are being foolish. We already know what it takes to be acceptably secure in real life. Why would we think that IT security would be much different?
When I was in junior high, I had a combination lock with the three numbers and the "turn all the way past zero to the number" method of opening it. It took too long to get the lock unlocked in the crowded halls between classes, so I could either lug all my stuff with me all day or find a faster way to unlock the combination lock.
My solution was to go ahead and dial in the first two numbers and then set it at zero, so that I could quickly turn to the third number. Before the school year ended, someone else had discovered my secret.
After that, I discovered that it was better to be slightly late to a class than it was to suddenly have all your gym clothes, school supplies, and even some of your text books stolen. That is, shortcuts are not always acceptable if they increase the likelihood of an unacceptable cost.
I was in high school when I first saw a new kind of lock, based upon a magnetic code in a rectangular piece of metal that was placed against the lock in a particular location. Over the years, there have been numerous new locking devices invented, and with each one, people have found ways to defeat them.
Even without getting into the history of military weaponry and armor, it is still clear to anyone who cares to look that any time there is a new and effective defense, work immediately commences on finding ways to overcome it. Likewise, any new and effective offense spurs opponents and potential opponents to seek ways to defeat it.
When Ug and Og stood 20 paces apart and threw rocks at one another, one of them recognized that he could hold something up in front of him so that his opponent's ballistic projectiles would be less likely to strike him and hurt him. It is likely that the other one then tried throwing two rocks at once or perhaps running up to his opponent and striking him with the rock or maybe even imitating his opponent's tactic, evening out his advantage.
Thus, you should not expect any particular tool or tactic to remain effective over a long period of time. Just as con artists develop new ways to hook victims as people learn to avoid the old ways, in any sphere of endeavor, your opponents will seek to alter their approaches in order to gain advantage. It should be expected, just as invaders led to walled cities, which led to catapults and siege engines, which led to moats and castles, which led to ….
Just as it is effective to give people realistic facts about potential dangers they may face in this life and tactics that may be used if said situation arises, it is likewise effective to do the same in the computer and network world. I disagree with those who think that we should teach users to push all their security concerns onto someone else. Instead, we need to help users to accurately understand what behaviors are more likely to lead to undesirable results.
The most insecure part of a system is its users. It is sheer idiocy to think that putting all security-related concerns in the hands of "experts" will fix the problem. Instead, involve users in the process of protecting the system against malicious activity. Explain to them how unsecured computers on high-speed connections are taken over to spew out spam and how they can help avoid becoming an unknowing part of the problem. This includes explaining that what worked last year may not be good enough this year, as new attacks and countermeasures are continually being developed.