It’s amazing how after decades of the internet being around, there is still no one grand way to keep information safe. People are the single greatest threat to information security. Because of this, no one can ever guarantee with 100% certainty that information is safe. I bring up past decades because after reading The Cuckoo’s Egg by Clifford Stoll, a book based on hacking in the late 80’s and early 90’s, I saw that even back then, it was people that allowed information leaks. When you think of a stereo typical hacker, you might envision the cast from Sneakers, Hugh Jackman, or a much younger, more innocent Angelina Jolie. You might think of the people who seem to flawlessly navigate their way past firewalls, systems networks, and encryption. Based on the true account of Cliff Stoll—a Systems Manager from Berkley in 1989—and even up to news on current events, this was rarely the case. I’ve heard it called the “sticky note” problem. People use, or are assigned, strange passwords and usernames and in order to remember them, they put a sticky note next to the computer. In the case of Cliff Stoll, he witnessed people in his system saving their passwords in their files or sending them in emails. In other words, the key to a secure place was being stored in a relatively public place. Finding these keys is by far the easiest and most common way for hackers to access protected.
We are all caught in the balance between security and convenience. I hate, for example, that Chase makes me type in my password every time I want to check my account balance on my phone. However, that keeps my information safe from anyone stealing my phone and transferring money to their account. Human nature has changed a whole lot slower than technology has since 1989. We can use all the firewalls and extra security measures we want, but ultimately, it will be human error that will likely overthrow efforts to protect data. Using common passwords, storing passwords, sharing passwords, or using the same password for banking as you do for your shared wireless, are just some of the examples of through thoughtlessness, malicious people gain access to places they shouldn’t. Before you invest in new software or systems to protect data, make sure that you and whoever you want to have access are as careful about behavior and practices as they are with their homes; i.e., don’t lock the door and leave the keys on the porch.
I wonder if there is a way to mitigate the damage caused by human error? In your example with Chase mobile, perhaps the app could remember your password but not allow you to transfer money from the mobile app. That increases convenience by remembering the password but also improves security. A thief would only be able to see your balance, and not be able to alter it.
ReplyDeleteSecurity smarty-pants man Bruce Schneier talks about building attack trees when analyzing threats to a system. The root of the tree is the end goal, usually to gain access to some secured resource. Each child is a more specific way to do that. One might be "computational attacks", another might be "physical access", and another might be "obtain a password." The nodes are further split apart with more and more specific children, and each node is assigned a cost, with the cheapest cost bubbling up to the parent node. You can then look at each node, and figure out where you are most vulnerable. See http://www.schneier.com/paper-attacktrees-ddj-ft.html for more info.
ReplyDeleteThe main idea is that security encompasses all parts of a system, not just the cryptographic protocols. It is often much easier to use social engineering to discover someone's password than pull off some crazy hack or Mission Impossible operation.