Implementation

Today, I want to review another theme that we saw in several of the tips from last month. That is the idea that a good security solution can be “broken” if it is implemented poorly.

Let me give an example that will illustrate the idea of implementation.

A traffic light can be an effective method of controlling traffic and avoiding accidents at the intersection of two busy streets. However, implementation is important.

An example of poor implementation would be if the light were green at the same time in all four directions. Fortunately, traffic lights are implemented to stop traffic on one road before traffic is permitted to flow on the other.

Another example of poor implementation would be if one of the signal lights were positioned behind a sign or a tree branch, so that the oncoming driver has no way of seeing the signal until he is far too close to be able to stop. A city official might conceivably argue that people should slow down so that they can stop in time if the signal happens to be red. But, knowing that a lot of people won’t, that argument would be flawed. Those responsible for traffic lights need to make sure the signals are visible from a sufficient distance to allow drivers to respond safely.

A good solution needs good implementation or it becomes a poor solution.

 

Problems with implementation occur repeatedly in security. Some of the places we saw it last month include:

*   The “chip” credit cards. The use of the chip could result in a lot better protection than it does in the U.S. By allowing the customer to still swipe the card or, with many of the cards, allowing the use of a signature instead of depending upon the chip, security is weakened. Although we discussed that the European version still allows for fraud to occur, the American version is far weaker.

*   The banks’ handling of security questions to verify identity, using information that is not that difficult to obtain.

*   WiFi security, both public and at home

*   Backups, which even the technology experts at well-funded organizations fail with on a regular basis

Implementation failures occur in at least three areas:

1) When the solution is being developed. The manufacturer of the equipment, the programmer of the software, and/or the creator of the solution may try to incorporate a good security idea in a way that weakens it or renders it ineffective. Or they could fail to take into account factors that are important for it to be effective.

2) When the solution is put into place. This could be when someone installs software on their computer or when they set up equipment. An example would be failing to change the password that comes with a new baby monitor, or using a weak password, or not having any password at all.

3) When the solution is being used. An example would be writing the password on a piece of paper and attaching it to the computer screen. Or having an alarm system for your home, but forgetting to turn it on when you leave the house.

All these kinds of failures can occur from a variety of causes, including:
*   Lack of knowledge
*   Carelessness
*   Human error
*   Inadequate planning
*   Impatience

Certainly that is not a complete list of causes.

In addition, failures can occur as the result of the difficulty of trying to address a complex situation or one that changes. That especially applies to security, a situation which is magnified by the common causes listed above.

 

Here are some thoughts on each of the stages where these kinds of problems can occur, and an approach to deal with them.

1) In the development of the solution. The consumer doesn’t have much direct control over how the manufacturer or designer creates the product. However, they can ask questions before buying, they can consider security as an important factor in their choice of which brand and model they purchase, and they can provide feedback to the manufacturer that security is important to them.

We have seen “fast food” establishments offer “healthier” choices as a result of public sentiment. If manufacturers and programmers know that the buyer will go somewhere else if the products don’t adequately address security concerns, they may begin to do a better job in the design of the products. In the meantime, by considering security and asking questions before purchasing (or having someone knowledgeable help in the purchase decision), the consumer can end up with a better choice from the selection of products available.

 

2) In the installation. By becoming aware of what is involved, the consumer can reduce the chances of making mistakes during installation. This may mean reading the directions, doing research, or simply asking questions of someone who knows what is involved.

Most people wouldn’t install a new furnace by themselves but would ask an expert. They would, however, install a new toaster (“just plug it in”) all by themselves. With computers, the installation issue can be tricky. Systems can be made relatively easy to install and seem more like installing a toaster. However, some security solutions address complex issues and installation may require “furnace” expertise even though it seems as simple as a toaster installation. Encryption solutions are one example of complex issues requiring precise implementation. Even though the encryption software may be simple to install, the “other factors” are extremely important. Ignoring those other factors results in a “broken” solution.

The answer to this does not require becoming an expert. However, it does require an awareness of which solutions require the greater level of expertise. Then, one can seek help when appropriate.

 

3) Use of the solution.
Knowing what things you need to watch out for (the threats and risks) and what things you need to do or avoid doing (practices) will help you avoid the most common mistakes made. There is always the possibility of making a mistake, no matter how much knowledge one acquires. However, awareness of the issues goes a very long ways towards avoiding the most common problems.

 

There are two main concepts I would like you to take away from today’s discussion:

* First, when someone makes claims about how good the security in their technology or solution is, remember that the way they implement it makes all the difference. They may say their product uses “state-of-the-art encryption” (or use some technical terms describing the type of encryption they use). They may say they use “two-factor authentication.” They may throw around words like “heuristics” or “adaptive technology” or some other impressive sounding terms.

When these claims are made, remember that no matter how good the claim of their technology sounds, it can be seriously flawed if it hasn’t been implemented well. That happens frequently. There are products and solutions that are well-designed and the claims being made are valid. I just want you to recognize that a really good-sounding claim using all the right words may end up being a flawed solution. Don’t be seduced by their claim just because it sounds good. (Reviewing third-party evaluations; getting opinions from informed parties and/or experts; asking questions; etc. are ways to address this.)

 

* Secondly, what YOU do with a product or other solution, both in setting it up and also in using it, makes a significant difference in whether or not it provides the desired results. The key to this is learning what is necessary to set up and to use it correctly. Whether you learn this by reading the directions and doing some additional research, or asking someone knowledgeable, or possibly “both of the above,” remaining secure requires you to be an active participant so you don’t end up “breaking” an otherwise good solution.

The other part of your involvement in the equation is to become aware of:
   a) The risks and threats that you face
   b) The options you have to address those risks
   c) The pros and cons of the “solutions” that you have available to you

One additional element would be helpful to know:
   d) A framework to make good choices in the complex environment of the many threats and issues and with the myriad of solutions to address them.

If you know “All of the above” (a, b, c, and d), you will be in a position to navigate the minefield and come out in one piece. Stick around and you will find all of that available, although it will take some time. When I say “some time,” I really mean a “little bit” of time on an ongoing basis as you learn a little bit now and a little bit more later.

The Security Solution

One common misconception about security is that you go out and buy a security program and install it on your computer, and that the security software will keep you safe. It would be really nice if that was all that was necessary. But security is a lot more than just installing a security program.

As we saw through the month of October with the 31 security “tips,” security involves a lot more than something a single piece of software can address. Security software is an important part of the solution. But it is nowhere near sufficient to keep you safe.

Some of the things we talked about during National Cyber Security Awareness Month were:

* Misleading promises made by marketers (some of them fully believe they can deliver on those promises but don’t realize there are limitations)

* Power failures and lightning strikes (that can destroy data and/or equipment)

* Common human error (forgetting to save a file, deleting something)

* Criminals (who have added the use of computers and electronic communications to their arsenal in order to steal, extort, commit fraud, and ….)

* Features that enable ease of use and automation also result in additional risks. Lowering the risks may result in less convenience. Some people will find loss of convenience unacceptable.

* Security solutions that sound good but overlook important factors and don’t fully address the risks (e.g., the new chip credit cards; “remote wipe”).

* Sometimes, security is sacrificed in favor of profitability (app builders).

Many of these are not the kinds of things that security software can address. Some of these can be addressed by security software but humans who own the systems will find a way around them, often for the sake of convenience. In addition, criminals on a mission to conduct their crime will find a way around them. For a considerable number of reasons, security software is only part of the solution.

One of the main points I want you to take away from last month’s posts (in addition to learning a few specific things) is that keeping safe means you will need to become more aware and continue to learn more over the years. I am not suggesting you become an “expert.” Nor am I suggesting you undertake an extensive study in the field of security. For anyone who wishes to do that, great! I would be happy to discuss that with you.

However, for all the rest of you, I want you to learn a little bit at a time on an ongoing basis. I will be offering a way to do that which will be inexpensive, easy, and (hopefully) may even be fun at times. But, whether or not you learn from me, I want you to learn from somebody.

Again, security has no “silver bullet.” There is no single solution. There is no solution that will be able to address all you need to know and to do in order to remain safe, apart from the ongoing process of keeping up with the changing security environment. As we have seen, some of those threats extend beyond the cyber world into the real world and may affect your health and safety.

If we want to be informed about world events, we don’t watch the news for one day and then decide that we know all there is to know from then on. If you want to be informed of world events, you watch the news, or read the paper, or follow it online, on an ongoing basis. In the world of security, the world of threats and what we need to know to keep safe continue to evolve, and the same ongoing process is required. That is the closest solution we have to remaining safe.

Without this knowledge, more than likely, most of us will be lucky a lot of the time. But, it only takes one time to make you wish you’d taken it more seriously. Maybe it would be loss of data, maybe identity theft, or maybe just the cost and inconvenience of not being able to use your computer until it gets fixed or replaced. Don’t forget that, for a great many people, their computer will be compromised and will be used to attack other people or carry out other criminal activities, without them ever finding out that they are enabling these activities to occur by remaining unaware.

So, the first “theme” I want you to take away from the past month’s tips is that security has a lot of pieces and that a lot of remaining safe depends upon you learning more about it.

If I needed to boil it all down into one word, that word would be

“AWARENESS”

That is what I wish for you.

Legal       Privacy Policy       Terms of Use

Home       Copyright 2016 - 2018