As the year comes to an end, we naturally consider changes that we should make in the New Year. As 2017 dawns, I hope to see a few revisions to the security tips that we give our friends, families and the general public.
“Not more secure” versus “less secure”
We can all think of some bit of security advice that people should be rapped on the knuckles for giving, because it doesn’t really make people’s machines or data substantially more secure. For instance, using some easily spoofable identifier – a MAC address, for instance – as one step among many in your authentication arsenal does not make your network significantly more secure, and it can cause delays and difficulties for your users. While this is decidedly not optimal, it’s important to make the distinction that it doesn’t render your network less secure.
On the other hand, if you’re using an item that can be easily guessed or spoofed as a way to circumvent the requirement for a more secure type of authentication, then you are actually making your network more vulnerable. The prime example of this is using security questions in the password-reset process, as the answers people use are often easily found with a quick trip to your favorite search engine.
It is important for us to distinguish between these two scenarios. While it is possible to create secure answers to “security questions”, it is difficult enough for the average user that major companies are starting to recommend that people disable them to improve their login security.
While using MAC filtering may not actually deter anyone from breaking into your network, it can still be a useful technique for administrative purposes. We must be careful to word our security advice in a way that we don’t cause people to avoid making benign changes for fear of creating security holes, where no such risk exists.
Fit the advice to the task
There are a lot of things we should all be doing to improve our security, in much the same way that we should all be eating more vegetables and getting more exercise to stay healthy. But these perennial pieces of advice are not applicable in each and every situation: if you’ve recently injured yourself, eating more vegetables won’t hurt but it also won’t directly help your injury either, and inappropriate exercise might even cause further damage.
I think we can all agree that encryption is a very good thing when it comes to protecting our data. But it is not a tool that is useful for every situation. For example, I frequently see people asking about encrypting their hard drives as a method of preventing ransomware, which it most definitely is not.
It may be that this is a misinterpretation of the common tip to create, and encrypt, a backup of the contents of their machines. It’s important to distinguish that an offline backup is the specific action for preventing ransomware, and encrypting the backup is to make sure we don’t create an additional risk for other types of attacks. This misunderstanding may give people a false sense of security if they think that the encryption itself will prevent ransomware.
Outdated information
Making sure security advice is still valid can be a tricky thing, as software gets updated and new vulnerabilities are discovered on a daily basis. A friend of mine wrote me in a bit of a panic, saying he’d been warned that using hidden SSIDs and MAC filtering would actually create security holes. Before responding, I had to do some serious search engine querying to make sure there wasn’t some vulnerability warning that I’d missed. (Of course, by the time this post gets published, it is possible that such a thing will have been discovered) As security educators, we need to be aware of this and adapt our advice to respond to these changes.
Back in the early days of macro viruses, security people would say that it was safer to send people RTF or PDF files than DOC files. And then problems were discovered that made these filetypes less safe than they were assumed to be. In the early days of mass-mailing worms, many of us advised people not to open suspicious attachments. But then mass-mailers were developed that could run when viewed in Outlook’s Preview pane. There was a time when MD5 was considered an appropriate hashing algorithm. And when it was generally considered acceptable to use WEP or WPA encryption standards for Wi-Fi. And then there’s that whole “green padlock” issue.
Keeping up with an ever-evolving security threatscape isn’t easy, even for an expert. Over time, products and file structures are updated, computing power that can be used to make or break things increases, and vulnerabilities are found in products and standards. As security professionals, we need to stay on top of these changes and make sure what we’re telling people to do keeps up with the reality of what is happening in the field.