Some Computer Security Folks Rethinking the Insanity

Yesterday's Boston Globe, in an article in the Ideas section titled "Please do not change your password," by Mark Pothier, reports on a guy who is perhaps going to change the way computer security wonks do their analysis. I certainly hope so! The subtitle of the article is: "You were right: It’s a waste of your time. A study says much computer security advice is not worth following." And that certainly sums up my own (and I think many users') feelings about all the hysterical messages we get from the IT security folks at work. Every message is equally high priority and every threat is rated equally disastrous. That's a little ridiculous, isn't it? Here are some snippets from the article, which is certainly worth reading in whole:

Now, a study has concluded what lots of us have long suspected: Many of these irritating security measures are a waste of time. The study, by a top researcher at Microsoft, found that instructions intended to spare us from costly computer attacks often exact a much steeper price in the form of user effort and time expended.

“Most security advice simply offers a poor cost-benefit trade-off to users,” wrote its author, Cormac Herley, a principal researcher for Microsoft Research.

Particularly dubious are the standard rules for creating and protecting website passwords, Herley found. For example, users are admonished to change passwords regularly, but redoing them is not an effective preventive step against online infiltration unless the cyber attacker (or evil colleague) who steals your sign-in sequence waits to employ it until after you’ve switched to a new one, Herley wrote. That’s about as likely as a crook lifting a house key and then waiting until the lock is changed before sticking it in the door.

Herley also looked at the validity of other advice for blocking security threats, including ways to recognize phishing e-mails (phony messages aimed at getting recipients to give up personal information such as credit card numbers) and how to deal with certificate errors, those impossible-to-fathom warning messages. As with passwords, the benefits of these procedures are usually outweighed by what users must do to carry them out, he said.

It’s not that Herley believes we should give up on protecting our computers from being hijacked or corrupted simply because safety measures consume time. The problem, he said, is that users are being asked to take too many steps, and more are constantly being added as new threats emerge or evolve. Security professionals have generally assumed that users can’t have too much knowledge in the battle against cyber crime. But that fails to take into account a crucial part of the equation, according to Herley: the worth of users’ time.

Cormac Herley, Microsoft employee, introduced his paper, written in September, 2009. On Dec. 31, 2009, he was interviewed on Security Now, an IT Security webcast show.

I googled his name and TechRepublic, and find his paper is being talked over and winning converts like Michael Kassner, posting March 15, 2010, "Are Users Right in Rejecting Security Advice?" Back to the Globe article:

Herley’s paper gives “normal users a voice,” said Michael P. Kassner, a technology writer and IT veteran who wrote the TechRepublic piece. For too long, users have been asked to follow security instructions without being told why they are worth the time investment. “I’ve been a proponent of prioritizing” security measures, Kassner said. “The whole purpose of IT is to make people’s lives easier.”

The computer security community has long puzzled over why so many users fail to snap to attention when alerted to news about the latest threats, such as viruses, worms, Trojan horses, malware, and spyware. At countless conferences and seminars, experts have consistently called for more education and outreach as the answer to user apathy or ignorance. But the research of Herley and others is causing many to realize most of the blame for noncompliance rests not with users, but with the experts themselves — the pros aren’t able to make a strong case for all their recommendations.

Some advice is excellent, of course. But instead of working to prioritize what efforts are effective, government and security industry officials have resorted to dramatic boldface statements about the horrors of poor passwords and other safety lapses, overwhelming the public. For instance, the federal government’s website for computer safety tips, www.us-cert.gov, includes more than 50 categories under the heading of “Cyber Security Tips.” Each category leads to complex sets of instructions.
“It’s nice to see the industry starting to grapple with these issues,” said Bruce Schneier, the author of “Secrets and Lies,” a book about computer and network security. In a blog posting last year, Schneier recalled a security conference at which a speaker was baffled by the failure of workers at his company to adhere to strict computer policies. Schneier speculated that the employees knew following those policies would cut into their work time. They understood better than the IT department that the risks of not completing their assignments far outweighed any unspecified consequences of ignoring a security rule or three. “People do what makes sense and don’t do what doesn’t,” he said. To prompt them to be more rigorous about computer protection, he said, “You want actual studies, actual data.”

So what does Herley think is really worthwhile computer security? Alas, good passwords, that you do change...

So which security measures offer a reasonable return on time and effort? Although coming up with a sensible list of security actions was not a goal of Herley’s research, he does have some suggestions based on personal experience. Start with bullet-proof passwords, he said, even if your employer requires you to periodically reinvent them or use too many (he juggles about three dozen as part of his work). Beyond that, he is big on one-time measures that offer ongoing benefits, like installing the latest software to shield against viruses and spyware (set it to automatically update). Two-thirds of computers have outdated software protection, according to a Microsoft spokesman. The company also recommends activating a firewall, which “functions like a moat around a castle.” Combined, such measures shouldn’t take more than 30 minutes, it said, and offer insulation from what is perhaps the biggest security menace of all: users.

“One of the main ways people get compromised is that they open the door to an attacker themselves,” said Herley. Someone might load software promoted as offering protection when it is actually spyware in disguise, he said, or they “open an e-mail attachment with a malicious payload....If this happens, it can be very bad. A piece of malicious keylogging software on your machine can grab all of your passwords: It makes no difference at that point whether they are strong or weak.”

The decoration of an evil worm is from a very long ago post on one of the computer "worm" attacks.