Schneier on Security
A blog covering security and security technology.
« The Emergence of a Global Infrastructure for Mass Registration and Surveillance |
| PDF Redacting Failure »
May 2, 2005
Users Disabling Security
It's an old story: users disable a security measure because it's annoying, allowing an attacker to bypass the measure.
A rape defendant accused in a deadly courthouse rampage was able to enter the chambers of the judge slain in the attack and hold the occupants hostage because the door was unlocked and a buzzer entry system was not activated, a sheriff's report says.
Security doesn't work unless the users want it to work. This is true on the personal and national scale, with or without technology.
Posted on May 2, 2005 at 8:22 AM
• 28 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Security won't work as long as it is a hassle. The children of tomorrow will find it less and less of a hassle, it is the children of today that are problematic.
I'm trying to decide which of Aesop's fables this is most like. There must be one. All I'm coming up with is locking the door after the horse is gone, and that's not a whole fable as far as I know.
Security is always a hassle. It's finding the right mix of hassle and freedom that make the good CSOs float to the top. Edcuation sometimes helps, but not everyone buckels thier seat belt.
At the same time, some things done in the name of security (those done to benefit the state or republic, but don't provide "configurable" and well known benefits for the individual members of the public for instance) should probably remain a little less than effortless (at best) just to discourage abuse and to remind folks of their presence. Nothing is more worthless in my view than a security measure that isn't in some way observable by the "unpriviledged" individual in some manner or another.
Just goes to show how when irratating security systems are disabled the designers can blame the user.
Hm, there must be some attacks based on this technique.
"I might need some help."
This is the understatement of the week.
Do something stupid, pay a price. Run an unexpected attachment, get shit duty. Bypass security measures or install unauthorized software, get canned.
"Security doesn't work unless the users want it to work."
That's not a comment that helps security. It's like saying government doesn't work unless citizens want it to work.
The real and difficult questions are:
What happens when the people charged with security have to convince everyone else to use security? Do they compromise, do they succumb to the least common denominator, or do they resort to manipulation and refusal of balance of power? Who among the users decides what is acceptable security? Is there an election, an appointment...and how do they verify that their intentions are being met?
From a risk perspective, everyone has their own view of the value, the known vulnerabilities, and the criticality of assets. Saying that everyone must agree is naive.
So how to you convey the complexity of that formula, and the tradeoffs from associated judgements, to a large user base? It is a lesson in political science more than security, as you will end up designing a process for users to agree to and adopt like common law. In other words, when risk is shared, users either elect representatives or they elect to abide by an existing political system (leader).
A door was not locked? Buzzer disabled? We do not know if these gaps were because the business processes were incompatible and users were forced to make a tough decision about risks/reward, or whether select few user (out of step with the rest) were negligent in their duties. The latter is less a matter of "want" and more a matter of poor judgement. Since user desires and responsibilities are often weighted by level of experience and authority we also should ask at what level the decision was made -- was it informal policy or at least common knowledge -- and whether detective controls existed or assessments are performed to measure compliance. Or, from another perspective, what if all the users EXCEPT for the users with the keys to the door want it locked?
The best way to get people to comply with your security procedures is to have the least amount of security needed to get the job done. Avoid security theater or gee whiz solutions to problems which do not exist. If the solution is actually a good fit to the problem, users are more likely to respct the solution.
If people do not understand the need for a particular solution, we need to do a better job of selling the solution. The wrong way to approach that impasse is to just do a better job of jamming down the consuming public's throat. People will always look for ways to bypas the security solutions they see as irrelevant, but if we do a better job of defining the problem being solved, people are more likely to comply.
Unless, of course, our solution is theater.
"the least amount of security needed to get the job done"
Yes, that would be ideal. It is an oft-repeated sales pitch to not oversell or overbuild, but that rarely happens in practice.
Moreover, take the situation cited by Bruce as an example of minimums. How much less security could the courts have had to get the job done? They only had a key lock and a buzzer. Even that was too much security by someone's standard. But that's not the point here. It's not the sum of controls that are the issue, it is the relevance/fit of the controls to the business process. Would a better solution have been proximity cards and an actively monitored audit log/alarm?
People often disable alarms because they may be prone to false positives and annoy everyone or generate a form of immunity (cry wolf). But why put in a critical control and then allow someone to disable it? I say this points to a much larger issue than whether users want security. For all we know, users actually want more and better controls (e.g. it is not hard to explain a "safer" work environment), but due to a conflict between existing controls and their job duties, they have no choice but to select the latter over the former.
People will tend to stop locking locks when the keys and the locks get so worn that operating them becomes tricky. Fixing the problem means forcing the budget item 'Replace all old cylinders and keys' to keep from falling off the bottom of next year's budget, or from being replaced by 'a cheaper alternative' (code for not fixing the problem but costing less).
"The best way to get people to comply with your security procedures is to have the least amount of security needed to get the job done."
From my experience, this works especially well in schools. The last school I was at had an obscene amount of security, and it always got in the way of what the majority of students were trying to do. Malicious students, on the other hand, quickly discovered ways to get around security, so it didn't do any good. The school I'm at now, on the other hand, keeps computers far more secure without intruding into everyday tasks, so most students don't even know there is any security. Mostly I attribute this to Windows security - the previous school used Windows 95/98, whereas the current school runs Windows 2000, so permissions prevent most malicious software from installing. I didn't know this when I first arrived, but when I got to know the (now ex-) sysadmin, he told me that he figured there wasn't much that students could do (due to permissions) so he would only block things if there was widespread abuse.
Do I need to mention that the first school employed a security consultant (at a salary rumored to be $150/hour) while the second had only a single network administrator (with no classes to teach) who earned a reasonable wage (< $60,000/year)?
Interesting fact: one of these schools is private and the other is public. Care to guess which?
Quadro: I am guessing that the second school is public because public schools normally get their computers on a three year lease or so. This ensures that the computers never really work because they aren't properly maintained, while giving the voters the impression that their school incorporates cutting edge technology.
More fun trivia: which typically has higher school budgets, crime ridden urban schools with metal detectors and guards at the doors, or suburban schools with relatively low crime rates? The answer: they are about the same, because the suburban school usually pays parking lot attendants to keep the student and faculty cars safe for the entire school day, which ends up costing about the same as having two people staff a metal detector for an hour in the morning and afternoon and then one person for the rest of the day.
> That's not a comment that helps
nothing bruce has said on this 'weblog' has helped security, imho. mostly useless 'headline-grabbing' crap.
this post is almost unbelievable; a snide remark and attack on a tragic incident. almost sounds like: 'it's their own fault they got killed'. well done, bruce.
Well, they are at fault, but not blameworthy. The judge screwed up; therefore the defendant succeeded in murdering en. Just like it's my fault if I open an attachment that puts a virus on my computer and disables it, though the ultimate responsibility rests on those who created the virus.
I'm wondering currently if there's a way to design a courthouse to make it more secure. If the bench were separated from the courtroom (by a high railing, for instance--raise the judge's position) and the only access points to the chambers outside the building or behind the bench, it would be much easier to protect the judge--just lock the outer door and seat a guard behind the bench. On the other hand, once someone had access to the chambers, it'd be that much easier to assassinate the judge.
Is this a general trend--that increasing security makes it easier to exploit a system once it's penetrated?
There was an incident where a university student was raped and murdered. Several doors with automatic locks had been propped open (possibly for the sake of convenience). The victim's family brought suit. It was found that security at the university was lacking and that information about on-campus crimes had been withheld from the students. http://www.securityoncampus.org/lawyers/...
It is not clear to me who 'disabled' the security systems in the article, the 'user' (judge), the 'security' people (sheriffs, baliffs), or 'other'.
The article seems to indicate that the judge was trying to take some extra precautions.
If the security staff 'disabled' the mechanisms - then this paints a very different conclusion. Anyone have tons of logs that ought to be parsed? How about turning down the alarms on IDS's? ...Yes boss, we got them installed...
Carl Ellison sums up security quite nicely - ``The userbase for strong cryptography declines by half with every additional keystroke or mouseclick required to make it work"
He wasn't handcuffed.
He should have been 'cuffed to the dock.
Then he'd have to get out of the dock before he could do anything.
Yes there were other security measure that should have been in place but they should have thought of the simple stupid things first. He was accused of a violent crime, he had been caught with concealed weapons before going to court. It was stupidity and complacancy that caused this.
Defense in depth.
The biggest key to successful security is working with, not against, human nature.
While people like being secure, only security managers like 'security', the labyrinth of controls and ritualization deemed necessary to theoretically prevent all manner of attack. What is overlooked is that people do not fit in a system as a piece of software or equipment does. They actively (and correctly) resent arbitrary controls. There are few places more secure than a prison.
It might also be argued that more people die from heart attacks in court houses than from incidents like this recent one. Alas, rather than learn the obvious lesson of paying more attention, and looking for obvious carelessness, millions of dollars in 'studies' and countless draconian regulations will be implemented in the panic driven need to 'make courts safe' (ie much more like prisons).
A non security example: my local post office (typical government thinking: control) put up a chain link fence and brick wall to prevent people from taking a shortcut from the parking lot to the front walk, when a much more sensible solution would be to simply pave the path that most people were already taking.
possible attack - car theft:
spray the joints of the doors of a target car with a brine mist. The sensors corrode, and the alarm starts to go off at random in the night. Owner is miffed by being woken every night, and no longer activates the alarm...
The most common reason for the doors propped open/locks disabled that I've seen is that the people designing a security system underestimate the number of people who need access to a particular place. They decide that only the occupant of the office can have a key. In reality, their assistant needs to get in while the boss is travelling, or in a meeting.
I can easily imagine that only the judge and balliff had keys to the office. But what about the law clerk who needs to drop off papers? The door is left ajar.
People will do what they need to do to get their jobs done. Conflicts need to be handled at the highest levels - i.e. dropping job requirements.
Easier approach, just nudge the car every night...
Interesting thought, but both schools acquire new computers on a 4-year (used to be 3, but they realized that their systems now remain acceptable longer) schedule. Neither school has ever done proper maintenance, but they still brag to parents and taxpayers that they're on the cutting edge.
The first school (with the overzealous security) was public and the second is private. At the school I'm at now, there is a parking lot guard/attendant/guy who basically yells at students for parking poorly and a security guard on duty whenever the building is open. Students hate the security guard because he doesn't seem to be doing anything except getting them in trouble, and they blame him for a student getting mugged in the (unmonitored) back parking lot. The administration "solved" this problem by adding a camera there for him not to watch.
We often despise what is most useful to us. ~Asops Fable
Security should be viewed as a business process; not a collection of technical vulnerabilities (the door lock in this case) to be exploited. Users are hardly ever stakeholders in the process of identifying and employing a better security model, and thus they do their best to get around it. Education and training is the key.
Physical security is easy to implement if you have some time & money, but good "user friendly" security is hard to implement & takes more time & money.
So we usually get easy, cheap & quick security instead of the latter.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.