Information Security in the Real World. Confidentiality, Availability, Integrity, Practicality.

Tuesday 23 March 2010

Low hanging fruit, outrunning lions and other cliches

It's a fallacy common outside the Infosec world (and to an extent within too, regrettably) that we need to totally lock down our systems and make them impenetrable. Hence the endless debates about optimum password length and strength, key length, multiple-factor authentication - often conducted online between two or more antagonists who swear they are "right", that there is a correct answer. Like we could, say, set all passwords to 14 characters including two each of upper, lower, numeric and national, at all times, cos that's optimal. Like when processing money over £100 we demand a one-time password from a token and two memorable dates. Job done, let's hit the pub.

But it's not like that. Authentication strength comes at a price, and that is usability. If your online bank requires three pieces of personal info, a token and an out of band communication (e-mail, phonecall) just to pay your overdue library fine then your customers will go elsewhere. However if you don't insist on all of these things when they wire £10k to a relative in Africa then they will rightly be suspicious that you are not protecting their money.

In truth, to stay competitive we have to walk a very narrow line between usability and security. Cybercriminals are mostly lazy individuals who go after "low hanging fruit". Make yourself harder to defraud than your immediate competitors and you will avoid a lot of trouble.

It's like an old joke: a safari jeep breaks down in the Serengeti, just a long lens away from a pride of hungry lions. The tour guide takes off his boots and starts putting on Nike running shoes. "You'll never outrun a lion in those" remarks a tourist. "No need," says the guide, "as long as I outrun you."

No comments:

Post a Comment