"Last week, IBM’s top security and privacy professionals attended an annual internal conference down in Austin, Texas. Over three days there were around 40 sessions divided in to two streams covering diverse topics ranging from detecting Web application vulnerabilities using static analysis, through to European national e-ID card scheme evaluations. As conferences go, it was pretty good, and I actually found it more interesting than some of the external/commercial conferences that I’ve attended recently.
Not only was I lucky enough to attend, but I also had a submission accepted – and spoke on the topic “how too good security can become no security”.
Now, I’m not going to cover the presentation here in any detail (I’ll aim to cover some of the threats in later blog entries); but while I was preparing the slides and doing some auxiliary research, two statements (let’s call them “perspectives”) came to dominate the topic.
1. An attacker doesn’t need to be smarter than the protection, just smarter than their victim.
2. “There is no patch for stupidity” is a copout.
The gel between these two statements is complexity.
The security industry tends to develop and implement new protection strategies in a very linear way (e.g. if the attacker beats two-factor authentication, introduce another element and make it three-factor authentication, etc.). In fact, one of the core mantra’s of security is “defense in depth” – i.e. keep on adding layers of protection to cover the full spectrum of threat. The net result of all this is that most defenses are complex – complex to manage and complex to use.
Therein lies the crux of the problem. The end consumer is overwhelmed with all the layers of security they have to pass through just to do something as simple as checking an online bank balance.
... What’s the response from some security professionals? “There’s no patch for stupidity” – i.e. the victim should be blamed because they couldn’t figure it all out and did something they shouldn’t have. Which, to my mind, is the ultimate copout - complexity is our failure, and the attackers gain.
Personally, I think it’s time we rethink many of the protection strategies the security industry adopts and deploys to protect Joe Average consumer.
Perhaps the industry needs to spend some time thinking about the ergonomics of consumer security before adding yet another defense-in-depth barrier?" (Continued via Frequency X Blog) [Ergonomics Resources]