Archive for July, 2008

Human Factors in Information Security – Part 3

In this series of blog entries I’ve been discussing human factors engineering in information security, why it is so important, and the kinds of usability engineering flaws that can be found in so many information security tools. I’d like to shift gears a bit, so to speak, and talk about some usability issues related to passwords. Before I go any farther, I need to apologize for bringing up the topic of passwords, which I believe are (because of the many inherent exposures associated with them) little more than a dead end from a security point of view. But for various reasons, unfortunately, passwords are likely to continue to be used in authentication for the foreseeable future, whether we like it or not. Read more…

Categories: Uncategorized Tags:

Human Factors in Information Security – Part 2

I’m constantly amazed by the claims many security product vendors make about how user friendly their products are. In my estimation some of them have acceptable usability levels, but many do not. I frequently notice usability design flaws such as highly cluttered graphic displays, unnecessarily complicated interaction steps, long lists of items in tables without any indication whatsoever of the status or meaning of each item other than the name, the need to frequently change from one input device to another, and difficult-to-read display output. Yet as I have said before, usability is hugely important in information security-related tasks.

One area of usability engineering that security product vendors need much more attention to is accommodating different levels of users’ skills and knowledge. Too often a product accommodates only naïve users or only sophisticated users, but not both. Ideally, vendor products should have two parallel interfaces, one that is “pick and click” in its nature, and another that accommodates power users. As far as accommodating naïve users goes, the user interface should be so transparent to them that hardly any training whatsoever should be necessary. Power users usually like command languages that allow them to accomplish sophisticated actions with only a few keystrokes. The command language must nevertheless be very intuitive and consistent in its syntax. Read more…

Categories: Uncategorized Tags:

Human Factors Engineering in Information Security – Part 1

Human factors engineering, often also called usability engineering, focuses on optimizing the interaction between humans and the tasks they perform. Starting in 1999, several information security professionals, myself included, have argued that much greater attention to usability considerations in information security is needed. Two of the first such individuals were Whitten and Tygar, who in 1999 published results of a usability analysis of and user testing on version 5.0 of PGP (Pretty Good Privacy), a program used to encrypt and digitally sign e-mail messages. Only users who were inexperienced in using cryptography were allowed to participate in this study. They were told to use PGP to encrypt, digitally sign, and send e-mail messages. An evaluation of users’ attempts to use this tool in this manner uncovered user interface design flaws that greatly increased the likelihood of user errors in interaction steps. When given 90 minutes to sign and encrypt an email message using PGP 5.0, most users could not successfully complete this assignment. Whitten and Tygar concluded that even though PGP 5.0 has an attractive graphical user interface and superficially appears to be user friendly, for most users this tool is not sufficiently usable to be effective from an information security perspective. Read more…

Categories: Uncategorized Tags:

More on Information Security-Related Certification and Also a Few Kudos

If you have been reading my blog entries for a while, you know that I very much value certain information security-related certifications, particularly the CISM, CISSP and GSEC certifications. When I first entered the information security arena, these certifications were not available. I wish that they had been, as the information a person who is studying for a certification test must learn is extremely helpful in the real-life practice of information security. I am confident that I would not have made quite a few of the mistakes and omissions I have made over the years had I been privy to such information. Additionally, of the “big three” certifications that I just mentioned, I have taught or currently teach two of the three preparation courses for them, and will soon be teaching the prep course for the third. I must confess that although I think that my teaching these courses helps those who attend learn some very valuable principles and facts, teaching these courses has also helped me immensely. How? It has filled in missing details in my understanding of certain principles and also my knowledge in certain technical areas. Principles in the CISM examination preparation course have, for example, taught me how to “make the sale” of information security to senior management, something that I really did not know before I started teaching this course. Read more…

Categories: Uncategorized Tags:

Security Problems in Banks’ Web Sites

Several University of Michigan security researchers conducted a study in which the on-line Web sites of over 200 banks were analyzed. The researchers reported that 76 percent of these sites have faulty security practices that leave their customers at elevated risk of fraud and information theft. Some of these practices include requiring customers to use email addresses or Social Security numbers as login names, redirecting customers’ connections without informing them, displaying icons that indicate to customers that connections are secure when they are in fact not secure, and so on. The names of the banks were not disclosed. Read more…

Categories: Uncategorized Tags:

The Value of IT Standardization in Information Security

In IT security many known and reasonably proven security control solutions (network traffic filtering, encryption, access control lists, and much more) exist. Strangely, one very powerful solution, IT standardization, too often get overlooked when people consider various control solution options. A good example is chapter three in the CISM examination preparation manual, much of which covers IT security technology. This chapter mentions many security technology options, but, strangely enough, does not mention IT standardization as a viable security control measure. In this respect, this manual (which, by the way, I very much like overall) is by no means unique. IT standardization is a proven way to cut down IT costs, but as a security control this measure too often gets too little notice. Read more…

Categories: Uncategorized Tags:

Resources for Information Security: A Constant Struggle

Many of my friends (as well as myself) are chief information security officers (CISOs). Whenever we talk, the topic of resources for information security (or, more precisely, the lack of resources) seems to come up. CISOs who have served in this position for a while get a kind of gut feeling concerning the level of resources needed to reduce information security risk to an acceptable level. Inevitably, the amount they request never matches the amount needed. Information security professionals are constantly struggling to obtain a sufficient amount of resources. Read more…

Categories: Uncategorized Tags:

The Entertainment Industry and Copyright Violation Crackdowns: How Much Is Too Much?*

A recent news item described a store about Virgin Media sending warning letters to roughly 800 of its customers, cautioning them to avoid downloading illegally copied materials. Virgin Media’s effort is in connection with the British Phonographic Industry’s (BPI’s) campaign to identity illegal file sharers and then report them to Virgin Media, which has agreed to send out warning letters such as the ones it recently sent.

I am very sympathetic with the current plight of both the recording and movie industries, both of which lose huge amounts of money due to piracy. Despite legislation designed to protect both of these industries by punishing individuals who illegally copy and share music and movies, the situation has, if anything, gotten worse. It is easy, therefore, to understand the desperation of the BPI, Recording Industry Association of America (RIAA), and Motion Picture Industry Association (MPIA). Read more…

Categories: Uncategorized Tags:

IIS Web Security: Kudos to Microsoft

Defending Web servers and applications against attacks is one of the most difficult tasks that information security professionals and others face. The fact that Web server locations are normally well advertised, that Web servers and application are often very complex, and also that many automated ways of attacking frequently used Web services and protocols exist only exacerbates this already difficult task.

Not too many years ago a particular Web server, the Internet Information Services (IIS) Web server, stood out as a particularly easy target to attack. According to seven years ago, 21 percent of the web servers on the Internet were IIS Web servers, yet over 60 percent of all reported web page defacements and break-ins into Web servers involved IIS Web servers. Among the many vulnerabilities in IIS implementations at that time was the fact that IIS ran with SYSTEM privileges, the highest level of privileges in Windows systems. Read more…

Categories: Uncategorized Tags:

Lost and Stolen Laptops: An Embarrassing Case Study

I recently read a news item that stated that Ponemon Institute survey results show that nearly 640,000 laptop computers are lost at airports every year. Two thirds of the lost laptops are never returned to their owners. Worse yet, slightly more than half of the lost laptops held confidential data, and only 42 percent of the lost laptops have been backed up.

With respect to lost laptops, I stand among the guilty. About five years ago I had a flight from San Francisco to Chicago. The flight, originally scheduled for early one Sunday afternoon, kept getting delayed to the point that it was finally rescheduled to leave well after dinner time, something that more or less made it a “red eye” flight. I left the airport to have dinner at a nearby restaurant, and after coming back I had to go through airport security once again. Read more…

Categories: Uncategorized Tags: