Security Ergonomics

Posted by Gunter Ollmann on March 16, 2008 at 6:06 PM EDT.

Last week, IBM’s top security and privacy professionals attended an annual internal conference down in Austin, Texas. Over three days there were around 40 sessions divided in to two streams covering diverse topics ranging from detecting Web application vulnerabilities using static analysis, through to European national e-ID card scheme evaluations. As conferences go, it was pretty good, and I actually found it more interesting than some of the external/commercial conferences that I’ve attended recently.

Not only was I lucky enough to attend, but I also had a submission accepted – and spoke on the topic “how too good security can become no security”.

Now, I’m not going to cover the presentation here in any detail (I’ll aim to cover some of the threats in later blog entries); but while I was preparing the slides and doing some auxiliary research, two statements (let’s call them “perspectives”) came to dominate the topic.

  1. An attacker doesn’t need to be smarter than the protection, just smarter than their victim.
  2. “There is no patch for stupidity” is a copout.

The gel between these two statements is complexity.

The security industry tends to develop and implement new protection strategies in a very linear way (e.g. if the attacker beats two-factor authentication, introduce another element and make it three-factor authentication, etc.). In fact, one of the core mantra’s of security is “defense in depth” – i.e. keep on adding layers of protection to cover the full spectrum of threat. The net result of all this is that most defenses are complex – complex to manage and complex to use.

Therein lies the crux of the problem. The end consumer is overwhelmed with all the layers of security they have to pass through just to do something as simple as checking an online bank balance.

Increasingly we’re observing that these consumers (the term I use is “our customer’s customers”) are now the “low hanging fruit” for professional cyber-criminal gangs. For example, the technological security ‘gates’ banks now confront these consumers with have started to become the industries undoing. Quick adaption of standard five-year-old malware – mixed with some subtle social engineering (e.g. adding a 5th page to an existing 4-page validation process) – is capable of bypassing even the most sophisticated multi-factor transaction validation processes.

In essence, the complexities of the security solutions have provided greater opportunity for attackers to target the consumer – therefore bypassing the actual protection technologies.

What’s the response from some security professionals?  “There’s no patch for stupidity” – i.e. the victim should be blamed because they couldn’t figure it all out and did something they shouldn’t have. Which, to my mind, is the ultimate copout - complexity is our failure, and the attackers gain.

Personally, I think it’s time we rethink many of the protection strategies the security industry adopts and deploys to protect Joe Average consumer.

Perhaps the industry needs to spend some time thinking about the ergonomics of consumer security before adding yet another defense-in-depth barrier?

    Copyright 2001-2008 © Gunter Ollmann