The zeroeth rule of network security: don’t trust your users

I realise, when I talked about the three rules of network security, and the fourth about encryption, I forgot the most important part of security practice: people.

We know people are a weak point. Watch “Mr. Robot”, watch “The Real Hustle” or “Catch Me If You Can”, or read this to understand that “It only takes one thing to get someone to reveal their password: asking”

So we try and enforce stronger passwords and hope users have a decent password manager, or at least a hidden physical copy, and don’t reuse passwords.

We try to add 2 factor authentication so there’s less chance of anything happening if one is lost, and hope we’re safe from phishing attacks.

We try to train users.

But security is an inconvenience. It hammers usability, because we want it to be unusable for the bad guys. (and it’s not just software, go to the right Scottish islands and you’ll find unlocked cars and unlocked houses).

If you’re a bank, you optimise for failure. Cancel the old card and send out a new one. Block the online account until you get something in the post. Log every change for users to review. Rollback transactions, when fraud has been proven. But even after optimisation, failure is expensive. It’s not an option generally open to the rest of us.

Advertisements

2 thoughts on “The zeroeth rule of network security: don’t trust your users

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s