AusCERT 2010: A security masquerade?

"Educate your stupid users," says security expert

It was the night of the masquerade ball, and the security professionals had left their rooms for a night of carousing and revelry.

I dressed and went to collect my date for the evening, a few levels up in the Royal Pines Resort on Queensland’s Gold Coast. It was AusCERT 2010.

She wore a grin as she opened the door. She had the master room key.

While the others confabbed and gossiped, I considered the possibilities.

Hundreds of empty rooms, and nothing linking me to the key. No one had seen me arrive and the cleaner had left the key many hours earlier.

Obviously, I did nothing, but the irony of a security breach at Australia’s biggest security conference was not lost on me.

It highlights the fallibility of users and is a reminder that humans are often the weakest point in a security system.

You can implement the latest zero-day-detecting, malware-rejecting, access-subjecting platform and it will all go to hell if your staff sticks their password to the computer.

Or hand their access card to a journalist.

But they can be the strength too. Cryptography god, Bruce Schneier, once proved this point through a scenario of a real-life gaol break.

He wrote that a prisoner had escaped by tiptoeing around a tripwire system. The guard sentry was replaced by the tripwire. So where does the blame lie?

Prisoners, hackers and disgruntled employees are a dynamic threat, and humans, with their powers of observation and critical thought, are a dynamic defence.

The guard could have spotted the prisoner’s escape, while the tripwire had a single defence and a single, constant point of failure.

As one senior security veteran told me over a beer that night, scoffing at the “new kids and their toys”, the chief problem in security has remained the same for decades — educating stupid users.

More about: CERT
References show all

Comments

1

Richard

Fri 21/05/2010 - 11:59

Interesting comments, especially as almost exactly the same thing happened to me the day of the ball. I went back to the Holiday Inn before the ball and found the cleaner's (I assume) card in my room.

But you and your 'senior security veteran' obviously didn't attend the talk on security awareness, or you wouldn't be calling people stupid.

They say a definition of stupidity is doing the same thing and expecting different results. Security people have been calling users stupid for years and guess what - security is still and issue.

It's time we had a sea change and maybe it needs to be lead by 'senior security veterans'. If you call people stupid and treat them like idiots, then that's what you'll get.

The point was made in the speed debating. If security is too hard for people, we 'experts' need to do a better job of making it easier.

2

Robert Winkel

Fri 21/05/2010 - 15:08

It's interesting that you should mention staff sticking their password to their computer. One of the security vendors was doing just that at AusCERT 2010. They had a post-it note with their password on the laptop that they were letting delegates use. The password was also simply of the form "vendor1".

3

Mike Mudd

Sat 22/05/2010 - 11:34

Calling your customers stupid is not exactly the way to improve the outcome that you desire - improved IT security. We all know that humans are fallible, it is what we should do about it that should be the issue. For example, despite billions spent on driving lessons, car design and safety fixtures including ABS brakes that are how ubiquitous, cars still crash due mainly to the failings of the driver. So we build passive features; progressive crumple zones, seat belts that tighten prior to impact and multiple airbags. Maybe the IT security industry should accept that humns fail and not insult those that ultimately pay us?

4

Dan

Thu 13/01/2011 - 21:23

"They say a definition of stupidity is doing the same thing and expecting different results"

I thought this was the definition of insanity not stupidity. Maybe I'm just stupid.

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the Computerworld comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: security
Whitepapers
All whitepapers
Sign up now to get free exclusive access to reports, research and invitation only events.
Featured Download
/downloads/product/133/feeddemon/

FeedDemon

FeedDemon is an easy-to-use RSS reader for Windows which will keep you informed with the latest news and information. The Google Reader Synchronization allows you ...

Computerworld newsletter

Join the most dedicated community for IT managers, leaders and professionals in Australia