‹ Review: SANS Pen Test Webcast Part 1 — ThreatExpert Blog has an excellent write up on the Gimmiv.A worm ›
People will always be the weakest link in security.
Yesterday morning I stopped in the local Starbucks to get some coffee. I noticed when I arrived a customer that was unpacking a laptop bag and getting situated. While I was waiting in line after ordering my drink, the same customer passed me heading into the restroom. After I got my coffee I started to head out the door. I noticed that the customer had booted their laptop and had a Citrix session running with Outlook open. I looked around and realized that the customer was still in the restroom. I decided to take a few minutes and sit down across the room and observe. I noticed that the laptop had a 3G data card plugged in, so I am guessing that was the data connection the customer was using, not the WiFi hotspot.
Lets evaluate the situation. We have a company that’s IT people need to provide remote access to its users. They want to keep full control of their data, so they go the thin-client route and use Citrix. They also must provide the 3G card I am guessing as well. But after all that a user boots the laptop, I’m guessing VPNs into the company, authenticates through the thin-client, launches Outlook and then takes a health break without locking the system.
I won’t even go into the part about the laptop just sitting untethered on the table. That is just a whole other issue. I am really hopeing that all the sensitive and private data in on the thin-client side and not on the local laptop. Sometimes I get tunnel vision on teaching best practices and awareness about security. All the different technology we can use and policies created to reduce risk, and then you through a user into the mix and its all for not.
I know that many of you will see the same thing sometime today but what is the fix? The customer I observed, after they did come back 15 minutes later, had a Realtor lapel pin. I don’t think keeping that user nailed down to a workstation in a secure building is an option. I would like to hear your stories, in the comments, on how best efforts were made in the name of security and a user killed it all without any thought. I would also like to hear solutions to fix problems like this. I think setting the screen saver to turn on after 60 seconds with authentication enabled would be a good start but not sure how the user would feel about that. :P
P.S. This isn’t just a user issue. I have seen an Administrator spend 30 minutes climbing through security and authentication, only to walk out of sight of their laptops to get a soda refill, without locking their laptop. This is truley a people problem not a non-technical user problem.
There are 5 Comments to "People will always be the weakest link in security."
There is no solution for stupid people. I think it was the former governor Jesse Ventura that said, upon vetoing a law on driving on frozen lakes, “If stupid people want to drive out on the frozen lake, let them. You can’t keep stupid people from doing stupid things.” Education is the only way to limit the stupidity–most people are completely oblivious to security because no one ever told them otherwise.
I work with a lot of small businesses, and one of the default requirements of W2K3 Server is the complex passwords. I’ve been begged to turn this feature off by the clients because they can’t remember their passwords, and the only way I can sell them on the idea of security is that it will save them money if something bad did happen.
Of course, there was that one former customer that had angrily insisted that passwords are just a placebo (in referring to his hosting company requiring passwords for web editing and email accounts, as well as his online banking). His company no longer exists.
The problem is not stupid people or dumb users. The problem is we have not given them a PERSONAL reason to care. Just saying we have a policy or not to do this and that means nothing to them. People need to realize they are accountable. I bet if you started giving people the reasons and laying out consequences that directly effect them the view would change. People respond to a sense of duty!A good example, the US military which is based on a sense of pride and duty.Of course you will always have a few stragglers and the goal is to minimize this, you will never eradicate it with technology.
The other problem is that very rarely are people ever called out on doing stupid stuff at the time they do it. The person you mentioned probably doesnt even know the impact of what they did or what could have happened and unless they stumble on this blog post they never will.
If we dont want to tell people to their face they are making mistakes maybe the collective “we” should come up with a “you are bad user” type card we could leave on unattended laptops?
Just to be fair I’m just as guilty of everyone else of observing stupid behavior and blogging about it later instead of telling the person they made a mistake at the time.
@Winux: I hear your frustration but I try to remember that a business has to run to be successful. If security keeps a business from running then its of no value. All we can do is reduce the risk and support our companies.
@Tim: I agree with you.
@CG: I thought about saying something but I don’t think that would be my place. If someone asked me my opinion, or if we both worked for the same company maybe, that would give me the open door to help them out. It would be like telling someone in the meat isle at the grocery store buying steaks about how they abuse cows and red meat will kill you. :P
[...] mitigate stupidity. Recently this article from Thomas Nicholson at Nicholson Security blog entitled People will always be the weakest link in security described a situation in a coffee shop where a business person connects to the corporate LAN (no [...]