Have we lost the war? Or are we just fighting the wrong battles?

24 10 2014

It’s October, and so far this year the ‘bad guys’ have obtained well over 100 million customer records and a similar number of credit card details from a variety of organisations ranging from banks to hardware stores. Every day it seems another bad news story appears in The Register or even on the BBC informing us of yet another breach of security, software vulnerability, internet scam or infected cat video on You Tube.

Each news story prompts the rolling out of the same faces, making the same statements and wringing the same hands AND NOTHING CHANGES.

Whilst those who have been paying attention understand that we are no longer up against spotty faced kids in their bedrooms who switch between Doom (showing my age here) and hacking a web site for their entertainment, the wider community does not seem to have caught on.

Our adversaries are running multi million dollar, global enterprises with levels of organisational sophistication and technical expertise that many of their target companies could only dream of. They don’t have to worry about setting up committees and focus groups before deciding whether to raise a project to scope out the work necessary to request a budget to carry out a feasibility study into the value of implementing a new product. They just get on and do it, and in many cases do it extremely well.

That means that we’re always going to be behind the curve playing catchup, and with the pace of technology change we’re dropping behind.

So what do I think we should be doing? Well to use Tony Blair’s famous phrase from 2001 “Education, education education”, but not just in schools and universities.

People write poor code that can be exploited, people click on links in emails and download viruses, people give away their security information to anyone who offers them a free app, people decide on what budgets should be spent on security improvements and only people can make the changes necessary to give us half a chance.

Until most people ‘get it’ then the few of us in the security world who already ‘get it’ are just lone voices in the wilderness, seen as a bunch of geeks wheeled out for soundbites that are forgotten as soon as the next celeb leaves Big Brother.

Sure there are glimpses of change, initiatives such as the UK Governments Cyber Streetwise and Get Safe online (incidentally did you know that 20-26 October 2014 is Get safe online week? No, me neither), are baby steps in the right direction, as are moves by e-Skills UK to promote cyber security training, but none of them are really joined up, and very few make it into the public consciousness.

So how could we achieve effective education of those who really matter?

There is no magic bullet, no one panacea for all our ills, but one thing we do know about the western world is that if something has a celebrity angle, involves reality TV or appears in a soap opera, boy does it get discussed around the coffee machine. If people feel they are directly affected by something (even if they aren’t) then there is a clamour to ‘get something done’ about it. So if we can pique their interest about something that they are affected by then who knows what might happen.

Maybe, just maybe, if we were able to get the conversation going at the soap opera level, that would get the message to the masses. If the scripts were written in an interesting and accurate manner with real human interest about the victims, maybe that would provoke a reaction. If real solutions and suggestions were offered in a joined up way, maybe that would encourage people to find out more and create a demand for change, and change themselves.

We know that simple things like running an up to date operating system and browser, thinking before clicking, not sharing your personal information with the world at large will all help make you less of a target. The other 99% of the population don’t, and most of them don’t even know they don’t know. Until that changes no amount of firewalls, IDS, IPS, anti-malware or any other technical security will win the war for us. No burglar will waste their time picking the locks of the back door when the front door is wide open and the burglar alarm is turned off.

As a start we need to remind people why they have a lock on their front door, and that leaving the key on the doormat or not locking it at all is plain stupid. Once we get that message understood then we can start with the more sophisticated stuff.

That’s my two-penneth worth. Maybe you agree or maybe you think I’m being too simplistic, not clever enough or just dumb? Either way, I’d love to hear what you think so please leave me some comments and if you are a script writer on Coronation Street or Hollyoaks let me know and we can have a chat.

Keep safe

David

Advertisements




Of Passwords and PINS (3)

8 02 2013

In the final part of this series I’ll look at PINs and what you can do to make them easier to remember.

PIN numbers, generally 4 digits, and used to validate debit and credit cards, lock your i-phone, access buildings, secure safes and all manner of  other things have become one of those things we all have to remember. The 4 digit card PIN only offers 10,000 possible combinations, so it’s not really that secure, which is why so many systems operate the ‘3-strikes and you’re out’ control. But why only 4 digits? For the answer you have to ask John Shepherd-Barron the inventor of the ATM. It seems that Mr Shepherd-Barron favoured using 6 digits, but his wife preferred 4!

In the same way as there are commonly used passwords (see the previous post for more details), there are some PINs which appear on an all too frequent basis. A recent analysis by Data Genetics revealed how unimaginative people are.  Over 10% of the PIN codes analysed were 1234, and 6% were 1111. The least common PIN was 8068, but probably best not to use that now as the bad guys can also read the reports.

Maybe you need a different approach. In the same way as you can have a memorable password, why not have memorable PINs? No! Not your birthday, or your partners birthday, or your house number, too many people already know them. But why not use the letters A through J to reflect the numbers 1 to 0, and create a combination that is meaningful to you? First four words of a favourite tune, initials of four family members, first four letters of you home town.

Most organisations which require you to have a PIN allow you to change them, usually on-line or at the ATM, so that’s not much of a chore, BUT, don’t change them all to the same value. Like passwords, it makes sense to have a variety of PINs, and to he honest you’re unlikely to have as many PINs as you have passwords (unless you collect credit cards as a hobby).

The standard instruction (as with passwords) is not to write them down, but again, as with passwords, there are variations on a theme. Clearly no-one would write in their diary: Barclaycard 1234; Amex 3456; M&S 4567 would they (pause whilst some readers tear page out of diary), but it is possible to be more discreet and still record those which you use less often in the same way as you can record passwords.

The frequently used ones you will remember because you use them everyday, especially if you have made the memorable in the first place.

Anyway, that’s enough on Passwords and PINs, next time I’m going to start on Social Engineering and how the bad guys WILL obtain those carefully protected pieces of information you have created.

Until then, keep safe and keep aware

David








%d bloggers like this: