Archive for July 2009

Who is financially responsible for a security breach? Things are changing.

July 21, 2009

The understanding of financial responsibility for security breaches continues to evolve. Where will it stop, and could a CISO ever be held personally financially responsible? (more…)


5 properties of passwords that must be managed to reduce risk

July 8, 2009

Security legend Bruce Schneieropened up a can of worms,” as he himself put it, when he agreed with usability legend Jakob Nielson that applications should not mask passwords as they are being entered. This is surprising from Bruce, who regularly harps on balancing cost against risk reduction, but his follow-up post does a nice job of addressing the pros and cons of password masking.   

For the question of password masking, the obvious security benefit of masking (reducing risk from shoulder surfing) is to some degree counteracted by a less obvious cost (masking may make it harder to enter a password, so it may discourage use of complex passwords).

This is a good reminder that there is in fact a number of password policy issues that on their face increase security, but in fact may actually decrease security when usability is factored into the equation (moreso in most cases I think than does masking):

  1. Password masking
  2. Password complexity is good for protecting against brute force password cracking (but how often does that happen?)
  3. Making passwords regularly expire limits the damage from compromised passwords
  4. Locking out accounts after a certain number of wrong attempts prevents one type of brute force cracking
  5. Rigorous authentication before replacing a forgotten password makes it harder to socially engineer around a simple “secret” like their pet’s name that someone might have to answer

The problem with all of these is that they reduce the usability of passwords.  All of them make a user more likely to do insecure things:

  • Use a weak password
  • Write down their password
  • Use the same password across multiple sites

The best setting for these five properties depends on various factors of each situation, but I think in general security folks worry more than they should about protecting against brute force attacks, and much less than they should about the insecure behaviors above.  In particular, the complexity and reset rules (2&3) are usually taken too far, and more sophisticated alternatives to lock-out (4) where the rate of possible login attempts is decreased with each error are not taken often enough.

Here for example are some data around how often people write down their main corporate login password (N>100,000):


Edited 7/13/09 to add:

Schneier posted today on this subject, referring to an article that concludes that (overly) strong passwords don’t accomplish anything. Unfortunately they seem to endorse a “3 strikes rule” (issue #4 above), rather than a more user-friendly approach of reducing the possible rate of login attempts. This can easily be engineered to prevent brute force cracking without a full lockout. 

One other comment that didn’t make it into the original post: all password complexity is not created equal. Numbers and symbols add a similar amount to password entropy, but create a very different user burden. Maybe Jakob Nielson can do some usability studies to determine the right balance.

The Real Risks of Social Media

July 6, 2009

The news media has been all over the ‘Facebook Fiasco’ involving the future head of Britain’s MI6. All the ridicule and snide commentary aside, this incident should lead to thoughtful discussion and debate at enterprises about the real risks of social media.

IREC has been tracking the social media domain for almost a couple of years now. We have seen a significant shift in CISOs’ perception on this topic.

Before we get into the details, let us establish a common definition of the term – we use ‘social media’ to refer to the group of technologies/platforms that enable creation and sharing of user-generated content. Examples include blogs, wikis, forums, ratings, tagging and social networking.

If used well, social media could provide a useful and creative channel to build top-line growth and enhance brand awareness. Some of the creative examples that come to mind include:
Dell’s use of Twitter as a sales promotion vehicle
Comcast’s customer service experiment via Twitter

The first set of queries we received on this topic were all about the potential security risks of social media. CISOs were also interested in knowing their peers policy posture in this area – Are companies allowing access to Facebook? What technical controls are available to prevent data leakage through social media channels? etc

In the course of the past 12 months, one thing has become very clear: The real concern for corporations is not the security risks of social media, but the reputational risks that accompany thousands of employees sharing their life (and work) details in the public domain. A recent study conducted by our sister program, the Marketing Leadership Council found that 71% of organizations surveyed plan to increase their social media investments in 2009. However less than a quarter of these organizations had a social media strategy in place.

It begs the question: What should Information Risk’s role in social media governance be?
Our conversations with CISOs at leading corporations suggest the following:
1. Develop a social media policy that covers the use of social media by the enterprise (eg., recruiting on Facebook) as well as by individuals. Provide simple ‘do’s and don’ts.’ The US Air Force has put together a simple flowchart to help staff decide when/how to respond to a social media post – very effective example of social media policy in action!

2. Incorporate social media etiquette into your organization’s security awareness and training programs. (These need not be part of the security awareness program per se – just make sure it is a part of some training employees receive). Include contractors in the program and create little booklets/information packets that employees can share with their families.

3. Lobby for investment in reputation management and moderation technologies. Most probably, your Corporate Communications department is thinking about this as well.

4. Take the lead in setting up a social media governance program. Many executives in the organization are thinking about social media – like HR, Corp Comm and Marketing. Get the group together to lay the groundwork for a well-defined program.

5. Finally, don’t forget to collaborate with your Legal department on issues such as records retention policies and monitoring of social media activities.