Sunday, October 12, 2008

Security and Usability are at odds with each other?

At No Fluff Just Stuff in the Security Birds of a Feather session, Ken Sipe and Ted Neward both made interesting statements. 

Ken said that a secured logging system is the most important element to a security system. His reason for saying that is, even if damage is done, you'll want to know what happened. 

Ted made a good point that the vulnerabilities are likely to be through social engineering rather than trying to crack any difficult systems. That only makes sense that someone who is interested in defeating a systems is going to attack its weakest points. People have lots of weaknesses.

Ken mentioned an anecdote of a group of penetration testers who left a few USB flash memory sticks that were loaded with root kits and other goodies in the parking lot of their customer. Employees of the customer found the flash memory and couldn't resist the urge to stick them in the computers. It was game over after that.

Probably the most interesting, to me, statement made was one to the effect that for a system to be usable some degree of security must be compromised and vice versa.

The statement was in response to the single sign on trend.

That is to say that at the extremes a very usable system is insecure and a very secure system is unusable.

I agree that some measures that are performed in the name of security completely shred usability and that some things that are performed in the name of usability hurt security.

I don't see a single axis security/usability continuum. I truly believe that secure systems can be built that are secure. I also feel that I am not qualified to design these systems, but these are the recommendations that my unqualified self would suggest:

Stop relying on passwords so much. Passwords provide a single point of failure should one password become compromised. In one environment I worked, that was supposedly very secure, the security people required everyone to change each of their numerous passwords every sixty days. Say if one were to have ten accounts, each with its own password, keeping track of those passwords is a bit of a chore. Memory fails people and they will rely on other means. Some will use something like password safe. But there are some who will rely on the old paper backup. Good thing that nobody thinks to look under the keyboard.

Ted Neward touched on one good solution for usability challenges with authentication and that's multi factor authentication. I like multi factor, because it dramatically increases the difficulty of breaking a system without necessarily sacrificing usability, instead of one challenge, there are multiple. The factors usually fall into three categories, what you know(passwords, questions), who you are(biometrics), and what you have(objects).

This is how an ATM works, you have a card and you rely on a fairly weak password There are 10,000 available combinations for a 4 digit PIN. We don't worry about the relatively weak PIN because we're pretty good at keeping track of our ATM cards. Falling prey to social engineering schemes with our cards are far more likely than someone taking an ATM card and guessing the PIN.

I'd really like to see more multi factor security systems in place. If one of the factors in the system is an object, like an RSA token, then adding a relatively easily guessable second factor, for example why not provide a factor of selecting a picture of familiar objects out of a lineup of ten, twenty, one hundred other pictures? Pictures are easy for people to remember. The pass picture lineup may only provide a namespace of 100, but it only adds(multiplies) to the strength of the other factors.

People have mixed opinions about biometrics. I'd hate to think that by amputating a part of my body, someone could defeat a security system. Some of these systems can be defeated in some clever ways.

Multi factor is more about the combined strength of systems instead of requiring a single system and cranking its strength up to 11 and cranking the usability down to zilch.

I think we really do need to question why security systems are typically so unuseable and whether they really need to sacrifice usability for security.

No comments: