The Day When Security and Laziness Combine
Everyday I see new security technologies hit the shelf that make great promises to the security world. I see solutions for password management, network perimeter security, server side security, you name it. From a security standpoint, every one of these new great technologies continues to have the same flaw. They are vulnerable to end user laziness. A security solution is only as strong as its weakest link and unfortunately it’s Bill the dad of 4 who doesn’t give two cents about your password policy. He just wants to put in his days work with as little hindrances as possible, get his check, and head to the house.
What does this mean? Are security professionals fighting a loosing battle? It is evident that we will never be able to escape the impact of our weakest link. The solution is to implement security measures that are easy and acceptable to the end user while still maintaining a satisfactory level of security. We have to implement solutions that allow Bill (our weakest link) to continue his normal habits. Security professionals have been shouting “Employee Training” and “User Awareness”. Bill only goes to the training because you make him and it isn’t going to change his habits. Enforcing strict policy only makes Bill angry and then you will see a decline in his productivity (thus a loss of efficiency). Bill shall not be moved because Bill’s pocket book isn’t getting bigger by helping your security team. So what’s the answer?
Security and Laziness must combine! We must transform the way we think as security professionals. We must put ourselves in Bill’s shoes. I see solutions such as “Single Sign On” that are making a push in this direction. Yet many of these create a Bottle Neck and thus a single point of failure. Are we trapped?
I guess your awaiting my grand solution to this problem. Well unfortunately I don’t have an idea for a new technology, but instead a new way of thinking. Security professionals and end users must reach a compromise. The division has to stop. I see this division in my own organization. I recently read an email that was sent out to end users in one department from an IT guy in regards to their poor password management. At the top of his email he addressed them as “Unwashed Herd”. We must reach compromise in our solutions with the “Unwashed Herd”.
2 Comments so far
Yeah, I work for the “unwashed herd”. It’s as much the herdsman’s fault as the sheep who follow him. Seeing as it’s been 3 years since our domain account passwords have been changed, we see the inherent flaw, and it’s fully human. If I had been working there for more than this year, it wouldn’t be running on 3 years. Everyone in the building is going to love when they come back and have a new password assigned by yours truly. them, the security of my network is more important than their memory. It’s not like the password isn’t in the desk drawer / taped to the front of the monitor / under the keyboard anyway.
I understand where you are coming from, but I find it funny that it has been 3 years since domain passwords have been changed (which you addressed). That isn’t the end users fault. That is poor domain/password management. Users should be given the opportunity to choose their own password. Administrators should force max characters, alphanumerics, or whatever it takes. If you don’t have that ability in place due to poor technology (the usual university woes), that doesn’t give you the right to take it out on the end user. This only further increases the gap between admins and users, which inherently decreases security. They have to be on your side!! You can’t convince me that the situation over there was handled appropriately or professionally. On a lighter note, I’m glad that you are tending to the herd. I’m sure good things will happen with someone like you who will approach things from a modern prospective. Good luck on the password change!