Wednesday, April 20, 2016

Need Security Awareness? You're doomed!

Let me start with a blunt message: "If you need user awareness to be secure, then you are doomed in the first place!". And let me elaborate on that one. Often you see, read and hear about how crucial security awareness among people is towards the fact of being secure. But recently I had a thought that I want to share with you. My thought was that if we need awareness in order to let security work, then the security controls are not organic enough in order to function properly. And very likely, they are also not ubiquitous.

Image source: F.U.D. - Fear, Uncertainty and Doubt (funny blog!)

And then I have read a couple of days later this post on the Google Security Blog: Android Security 2015 Annual Report (the full report can be found here). Among many things, one got my attention specifically, and that was the fact about the use of fingerprints.

Starting with version 6.0, Android supports fingerprint scanners. This allows applications to use biometrics for authentication, reducing the number of times a user needs to enter their password or unlock pattern, thus decreasing friction around lockscreen use. Lockscreen use is higher on devices with a fingerprint scanner. For example, 55.8% of Nexus 5 and 6 devices (which have no fingerprint scanner) have a lockscreen, compared to 91.5% on fingerprint-enabled Nexus 5X and 6P devices. We are seeing an increase in lockscreen usage for other Android devices that provide fingerprint scanner support.

Somehow, when there is an improvement on how the security works, the use of it increases. And this supported my thoughts on this matter. Because fingerprint is easier to use, relatively speaking just as safe as a pin, devices are more often secured from unauthorized access.

Let's take a look at an analogy of the physical world. There are many threats towards the physical world. There is the threat of terrorism, but also non-friendly states invading your own country. When you would give the same advice in the physical world as in the cyber world, then the following would happen.

You would give advice to install metal-detectors at one's home, anti-aircraft machinery, a couple of drones to strike down enemy combatants, and of course a radar to check for incoming aircraft. Besides the fact that it is expensive stuff, you do not want to give such responsibilities to civilians. This because of the threat and the impact of such threat and its countermeasures are too big to handle on an individually basis.

When the threat is small though, security measures are sensible. Think about a lock to lock your door and an alarm for burglary, smoke and fire detection. But the reason why these systems work, is because they are friction-less. There is no friction in the use of such security features and therefore they are used. Everyone is on auto-pilot locking and unlocking their home. And one does not even have to think about the alarm, it just works and at 'worst', a pin needs to be remembered to disable the alarm.

Back to the Cyber World. When you say to your employees that it is also their responsibility to prevent state-actors, or actors with such capabilities, for penetrating the defenses through phishing, malware, hacking and more, you will definitely lose your audience. And rightfully so. The threat, or the impact of such threat, is to big to be managed on an individual scale. The countermeasures we give them are hardly effective, because most often people do not really understand the gravity of these cyber-attacks.

Are you still saying "Do not click on that link in that e-mail!"? You thought yes? Seriously? I find it harder and harder to recognize phishing mail myself (if I see one to be frank). While every service provider can become way more spam-resilient by using techniques such as TLS, DMARC, Reverse DNS, SPF, DKIM, DNS-based blacklists, and Spam URI Real-time Block Lists (SURBL), we ask users not to click on links... These controls cut down spam (and phishing) emails significantly, and improves security (and privacy) also.

And the bright side of it all is that the user of the system has to do absolutely nothing to benefit from it. Why do I not receive spam and phishing on my personal email account, while I read organizations constantly struggling with them? Is it that people are more aware of phishing on their personal accounts, or is it because a billion-dollar company just configured it better? And phishing is most often number one step for Evil Jimmy to hack into the corporate network, so it might be smart to better protect your mail-servers instead of telling people not to click on links.

If we can make our systems smarter and more secure by really implementing security features, and if we can prevent users (or processes within users-space) for disabling such features, we dramatically improve the overall security. Just tell users never ever to share their password, and let them easily travel and room over the network. And whenever they need higher security clearance for more sensitive data, incorporate 2-factor authentication instead of yet another account. And that should be the end of the security awareness session. It can be done in 5 minutes.

Do not get me wrong, there is also a thing called privacy. And privacy awareness is a whole different ball-game compared to security awareness. Privacy awareness is way more important, and far more easily trained then security awareness. Because the issues and solutions on that front are close to the actual users themselves. They can recognize it, and they can truly make a difference there. It is about not leaving printed documents on your desk, it is about not sharing credentials and sensitive data by any means. People can relate to that, because no one wants their medical files on public display. Users can have a tremendous positive impact on these topics. Just don't bother them with (semi-)technical stuff that well-functioning IT-departments instead should do for them.

When all systems are well configured, hardened and compartmentalized, there is far less threat from the user from a security perspective, and we need to train them far less than we need to now. Think about that for a brief moment, before asking an user to remember Yet-Another-Weak-Security-Control.

Feel free to comment below, I would for sure appreciate it!


Post a Comment