Today, I want to review another theme that we saw in several of the tips from last month. That is the idea that a good security solution can be “broken” if it is implemented poorly.
Let me give an example that will illustrate the idea of implementation.
A traffic light can be an effective method of controlling traffic and avoiding accidents at the intersection of two busy streets. However, implementation is important.
An example of poor implementation would be if the light were green at the same time in all four directions. Fortunately, traffic lights are implemented to stop traffic on one road before traffic is permitted to flow on the other.
Another example of poor implementation would be if one of the signal lights were positioned behind a sign or a tree branch, so that the oncoming driver has no way of seeing the signal until he is far too close to be able to stop. A city official might conceivably argue that people should slow down so that they can stop in time if the signal happens to be red. But, knowing that a lot of people won’t, that argument would be flawed. Those responsible for traffic lights need to make sure the signals are visible from a sufficient distance to allow drivers to respond safely.
A good solution needs good implementation or it becomes a poor solution.
Problems with implementation occur repeatedly in security. Some of the places we saw it last month include:
* The “chip” credit cards. The use of the chip could result in a lot better protection than it does in the U.S. By allowing the customer to still swipe the card or, with many of the cards, allowing the use of a signature instead of depending upon the chip, security is weakened. Although we discussed that the European version still allows for fraud to occur, the American version is far weaker.
* The banks’ handling of security questions to verify identity, using information that is not that difficult to obtain.
* WiFi security, both public and at home
* Backups, which even the technology experts at well-funded organizations fail with on a regular basis
Implementation failures occur in at least three areas:
1) When the solution is being developed. The manufacturer of the equipment, the programmer of the software, and/or the creator of the solution may try to incorporate a good security idea in a way that weakens it or renders it ineffective. Or they could fail to take into account factors that are important for it to be effective.
2) When the solution is put into place. This could be when someone installs software on their computer or when they set up equipment. An example would be failing to change the password that comes with a new baby monitor, or using a weak password, or not having any password at all.
3) When the solution is being used. An example would be writing the password on a piece of paper and attaching it to the computer screen. Or having an alarm system for your home, but forgetting to turn it on when you leave the house.
All these kinds of failures can occur from a variety of causes, including:
* Lack of knowledge
* Carelessness
* Human error
* Inadequate planning
* Impatience
Certainly that is not a complete list of causes.
In addition, failures can occur as the result of the difficulty of trying to address a complex situation or one that changes. That especially applies to security, a situation which is magnified by the common causes listed above.
Here are some thoughts on each of the stages where these kinds of problems can occur, and an approach to deal with them.
1) In the development of the solution. The consumer doesn’t have much direct control over how the manufacturer or designer creates the product. However, they can ask questions before buying, they can consider security as an important factor in their choice of which brand and model they purchase, and they can provide feedback to the manufacturer that security is important to them.
We have seen “fast food” establishments offer “healthier” choices as a result of public sentiment. If manufacturers and programmers know that the buyer will go somewhere else if the products don’t adequately address security concerns, they may begin to do a better job in the design of the products. In the meantime, by considering security and asking questions before purchasing (or having someone knowledgeable help in the purchase decision), the consumer can end up with a better choice from the selection of products available.
2) In the installation. By becoming aware of what is involved, the consumer can reduce the chances of making mistakes during installation. This may mean reading the directions, doing research, or simply asking questions of someone who knows what is involved.
Most people wouldn’t install a new furnace by themselves but would ask an expert. They would, however, install a new toaster (“just plug it in”) all by themselves. With computers, the installation issue can be tricky. Systems can be made relatively easy to install and seem more like installing a toaster. However, some security solutions address complex issues and installation may require “furnace” expertise even though it seems as simple as a toaster installation. Encryption solutions are one example of complex issues requiring precise implementation. Even though the encryption software may be simple to install, the “other factors” are extremely important. Ignoring those other factors results in a “broken” solution.
The answer to this does not require becoming an expert. However, it does require an awareness of which solutions require the greater level of expertise. Then, one can seek help when appropriate.
3) Use of the solution.
Knowing what things you need to watch out for (the threats and risks) and what things you need to do or avoid doing (practices) will help you avoid the most common mistakes made. There is always the possibility of making a mistake, no matter how much knowledge one acquires. However, awareness of the issues goes a very long ways towards avoiding the most common problems.
There are two main concepts I would like you to take away from today’s discussion:
* First, when someone makes claims about how good the security in their technology or solution is, remember that the way they implement it makes all the difference. They may say their product uses “state-of-the-art encryption” (or use some technical terms describing the type of encryption they use). They may say they use “two-factor authentication.” They may throw around words like “heuristics” or “adaptive technology” or some other impressive sounding terms.
When these claims are made, remember that no matter how good the claim of their technology sounds, it can be seriously flawed if it hasn’t been implemented well. That happens frequently. There are products and solutions that are well-designed and the claims being made are valid. I just want you to recognize that a really good-sounding claim using all the right words may end up being a flawed solution. Don’t be seduced by their claim just because it sounds good. (Reviewing third-party evaluations; getting opinions from informed parties and/or experts; asking questions; etc. are ways to address this.)
* Secondly, what YOU do with a product or other solution, both in setting it up and also in using it, makes a significant difference in whether or not it provides the desired results. The key to this is learning what is necessary to set up and to use it correctly. Whether you learn this by reading the directions and doing some additional research, or asking someone knowledgeable, or possibly “both of the above,” remaining secure requires you to be an active participant so you don’t end up “breaking” an otherwise good solution.
The other part of your involvement in the equation is to become aware of:
a) The risks and threats that you face
b) The options you have to address those risks
c) The pros and cons of the “solutions” that you have available to you
One additional element would be helpful to know:
d) A framework to make good choices in the complex environment of the many threats and issues and with the myriad of solutions to address them.
If you know “All of the above” (a, b, c, and d), you will be in a position to navigate the minefield and come out in one piece. Stick around and you will find all of that available, although it will take some time. When I say “some time,” I really mean a “little bit” of time on an ongoing basis as you learn a little bit now and a little bit more later.