Security awareness and the Speed-of-Light limitations on security technologies

The Ottawa Business Journal Article on my Security Awareness Research  - The Honey Stick Project

This week, the Ottawa Business Journal published a good article "Unplugging Risks to Company Networks" by Peter Kovessy, about the research I’ve been doing on human security awareness and risk decisions. You can find it by clicking HERE.

After you read the article...

My comments below provide some deeper insights into the Honey Stick Project, mentioned in the article, and some thoughts I had after it was published, to clarify what I’m trying to do and what I think we need from technology in the future. I encourage business and IT managers to read the article above and my comments below, and let me know what you think.

- Scott Wright

Technical Safeguards at the Speed of Light

What we think of as progress can be deceiving. As technology progresses, we make improvements in productivity for a certain set of circumstances – there are always situations for which a technology isn’t suited. So, with each advance in technology, a new set of conditions are imposed on when we can expect improvements. Outside those conditions, the results can be unpredictable to the point of failures in quality, performance and security. In short, we have so many technologies in play that have “boundary conditions” that govern their usefulness, we start to lose track of how to use them properly or safely.

We can all think of situations where a supposed technology advancement has given rise to an unintended risk. In some cases this almost negates the benefit of the advancement itself. As an example, when the Sony Walkman became popular in the early 1980’s, a new problem came with it – people walking, cycling or even driving with headphones on - which started to put people at risk of causing accidents from their impaired hearing ability. So, we now have laws governing when we can or can't safely use headphones.

I believe that these “boundary conditions” for achieving productivity with new technologies are the reason we will always have a gap between technology safeguards and human risk decisions. While I agree with Derek Webber’s point in the OBJ article above – that we need better technology safeguards as much as we need security education and awareness, we can never expect technology to totally protect us, no matter how much effort we put into technological safeguards. Many technology experts I have spoken to – despite their intelligence, experience and good intent – do not seem to appreciate that, because of the increasingly complex interactions of people and technology, every new advancement tends to require exponentially more effort to make it secure, for most business purposes.

It’s almost like the problem of achieving travel at the speed of light. The closer you get to it, the harder it is to make incremental advances toward it.

Measuring the gap

As a way of illustrating this simple idea, I created The Honey Stick Project in 2008 to simulate the risks from computer infections due to poor decisions with unknown devices that could carry malicious software. (The recent example of the Conficker worm is a perfect example of this kind of risk.) The Honey Stick Project  illustrates the gap I am talking about. The  data I've collected shows that the majority of people (65% at this point) do not recognize the conditions under which a simple USB Flash drive provides a benefit, and when it can be dangerous.

One of the simplest ways to mitigate risks is for people to stop and think for a moment about consequences before they take an action – whether it is clicking on a link in an email or instant message, or plugging in a device they just picked up off the ground. You have to ask yourself “When is it safe to do this, and is there something I really need to do that makes it worth the risk?”

Technologies that can help bridge the gap

As I mentioned above, there are many technology advancements that are always being developed, and many security technologies being developed to protect us from their malfunctioning or misuse. Sometimes it makes sense to put up barriers to block the things you don’t want, but often we can get better results if we are able to define exactly what we want to allow to happen – and nothing else. In the security industry we call this the “Default Deny – Explicit Allow” policy.

I think that despite all of our efforts to create the ultimate general purpose computer, this is one of our biggest risks – that we have a device that can do anything we might want to do, at any time. But for businesses, the ability to do anything at any time is not necessarily a good thing.

So, we need to start putting simple, understandable business rules at the heart of our computing systems, to make sure they only do what we want them to do, and nothing else. It’s becoming too complicated to decide what to block – it’s much easier to decide what we want to allow. Everything else becomes an exception. Not coincidentally, this is how humans must start to think about virtually everything we do that involves risk.

There are computer operating systems, like Security Enhanced Linux (SE Linux) that can be configured to enforce any business policy you want. If this was done for all computers, most of our unintended consequences would disappear. But we don’t do this mostly because even for simple business rules, it takes engineers too long to configure each system with the desired parameters. It also tends to limit the flexibility of our computers. But that’s really what we need in order to have assurance in our business systems.

That said, there is a new technology that I think has great promise for bridging this gap more effectively than any I’ve seen before. It allows for simple business rules to be defined and enforced on any computer. The technology is called Trustifier. While I don’t yet know exactly how it behaves, I know enough about its architecture to say that this is the direction I think we need to be going in order to start bridging the gap from the technology side. I hope to be able to write more about Trustifier in the near future.

What to do in the meantime

On the human side, I will continue to develop educational materials, training and workshops to help businesses understand their risks and teach their teams to make intelligent decisions when working with technology.

Maybe someday, most of our business systems will have safeguards, like Trustifier, that actually limit what  can be done to only safe actions, which will relieve most of us from some of the most serious risk decisions we are forced to deal with, as humans, today.

Please read the article above and I would like to hear your comments.

rate this post: