Wednesday, February 22, 2012

Security in I.T.

Security in the Information Technology field is an excuse to screw things up a lot of the time.

Think about it. Where should security be implemented? It's fairly well accepted, by those in the know, that once physical access has been gained, all bets are off. For example, on a Linux system, point init to be something other than upstart or init-v. Like a shell for example. On Windows, normally an installation cd will give you enough access to reset passwords. Ditto with a Mac OSX installation disk. Think you can avoid this by locking it away behind the BIOS? It's fairly trivial to reset a BIOS, or even to remove a hard drive and put it in another machine. Security in this case only slows someone down.

So the desktop is a lousy place to implement security. If someone tells you differently, they're probably trying to sell you something. I saw a comment that suggested that most businesses require their users to use encrypted hard drives. Enter in a password to be able to access anything. I don't think the figures the person quoted are anywhere near the truth, and if they are, they're frightening. It's my theory that security on the desktop is ill-conceived at best.

I was helping a school out with their iGovt account. For whatever reason, Firefox wasn't allowing them to sign in citing that it needed cookies. Stupid generic error that didn't help in the least. Anyway, the user kept getting a incorrect password being used message. So she got a temporary one, and went to set her password to what she had thought the password was. Nope. Didn't work. Instead she got a message saying "You can not use the 6 previously used passwords".

Part of the trade off of putting loads of security on is that you actually lose security. Your users start to work against you. They write down the password. Or use something based on the date (seen this one at another school that forces a weekly password change). Change the password 6 times arbitrarily just to use the password you want to use. Post it notes or stickers on the side of the monitor. If you frustrate your users, your users find ways around it.

This is security 101. I've said to people "I don't really care about security. I just want to get on with work". The number of people telling me that I really should care or think I should be impressed because they're keeping up to date with various vulnerabilities is really surprising.

I would be so much more impressed and surprised by geeks who think of the end user first.

I was at a meeting where I told the guy my background. That my job was a consequence of a passion. I've been getting a fair amount of flak about my lack of desktop skills. I haven't used Windows for a very long time and have never been a Mac OSX person. Don't get me wrong - in terms of people skills, I'm probably okay. I do tend to ignore instructions like "don't get waylaid by people" and instead try to follow a procedure i.e.

  1. Approach the user about the problem so that I can hopefully understand what it is they're wanting. This one is really important as it is so easy to get it wrong. For example, today I got asked "Do you know how to connect something to the server?". It turns out they don't talk about networks. The network is a non-entity. It doesn't exist. Instead, everything is connected to "the server". Never mind the fact that most of what they do happens in the cloud. So get them to show me the problem. I answered "no" as this was safest at the time. I outright refused when I realised what it was they were wanting.
  2. Get UAT. User Acceptance Testing is important. You can not be sure you've taken the right action if you haven't made sure that the user is happy.
  3. Throughout it all, become a Buddhist monk. I am centred. The only person that exists at the time of helping someone is the person I'm helping. I am patient and more zen than thou. I think I've only almost lost it once towards the end of last year when I user was insistent that the wireless network didn't work at all even though her machine was unplugged from the network and she was surfing the net.
But in terms of desktop support, I'm more of a diagnostician. Go away, think about the problem, come up with the most likely causes, quite likely come back the next day to sort it out.

So much of what goes wrong on a user's desktop is due to security. Linux has the keyring in gnome which seems to go out of sync with the users password requiring the user to manually type in a password to do something that should be easy like connecting to a wireless network (how about making it a system connection by default or making it easy to do this when setting up the connection for the first time?). Access to printers using department codes or user codes which require the use of very specific drivers. Tying down the network to only allow a very small number of clients (killer in a 1:1 programme).

I've been called out for each and every one of those scenarios. You've got to ask what is it that they're trying to secure? If you think of security as a great big ugly footprint, then how can you reduce it? Do users have to have a rotten experience to protect data that probably doesn't need protecting? Can you instead secure just a small area?

There is one location that I have to go to every time there's a new user. It's not to provision accounts or anything, but because there's this ill-conceived sense of security the customer gets by not revealing their passwords to the users. Never mind the fact that they can go back in and find out those passwords.

Instead, the users lack confidence. They're like battered wives asking for permission for anything they do.

So, if you pride yourself on saying you follow computer security developments, you really should be asking yourself, how does this effect the user experience? At what point does more security make things less secure? Do you really understand the customer's requirements? Does the customer understand the trade off between security and usability? etc.

No comments:

Post a Comment