Sunday, October 16, 2005

Awareness as Defence

What is the value of awareness as a security defence mechanism?
Anytime a security wonk complains that security awareness training has to be beefed up to address some failing in end user behavior I believe there is a failure in technology. ... If you have to educate people to not use the tools you have given them in a certain way to remain secure you have failed. Relying on security awareness training is an admission of failure. [Richard Stiennon via Adam Shostack]
End-users are trained to respond in particular ways to certain stimuli (signals, messages, emails, webpages, phone calls) from bona fide suppliers. But when these end-users are faced with similar signals from impersonators (such as phishers), they produce behaviours with bad consequences.

This can be understood as a question of exo-interoperability and risk. What can go wrong when you compose well-meaning user behaviours with hostile external behaviours?

Depending on end-user awareness to solve this problem will only work if there is a simple and reliable method for discriminating between bona fide suppliers and impersonators. This in turn assumes that the impersonators are not clever or innovative enough to change the forms of deception used. (Appeal to end-user awareness, when it is unlikely to be effective, simply counts as abdication on the part of the supplier.)

(In the past, we may have trusted people because they had the right accent or dress, or had been to the right school, or just paid attention to the right things. There are always social tokens that clever impersonators can deploy to bypass any natural caution.)

Depending on technology to solve security problems will only work if the system is completely closed, with no possibility of human intervention. Otherwise, there is no limit to the ingenuity of social attacks. We may also note that high-tech companies with a very high reliance on technology are often the first organizations to fall victim to the latest malware.

As it happens, an example has crossed my desk this week. I am on the email circulation list of a certain department (which shall remain nameless). In the past week there has been earnest discussion between several members of this department about the policies for protecting the department against virus-infected attachments. Some people have argued that the members of the department are all computer-literate, and therefore should be trusted to do the sensible thing with email attachments. Others argue that there should be technical hurdles, to make people think twice before opening attachments.

But such questions cannot be sensibly resolved in a piecemeal fashion: one mechanism at a time, one discrimination at a time. Instead, we must be looking for holistic security involving active collaboration with shared awareness and shared responsibility between suppliers and users. Our approach includes a detailed analysis of exo-interoperability risks, and a stratified security architecture that assigns proper responsibility for these risks within a complex sociotechnical system of systems.

Thus awareness may be a useful step towards improving security, but it is not a solution in its own right.

Technorati Tags: