|In the area of information security, it appears that progress is being made in the development of element technologies, but there is still long way to go before these technologies are used in an integrated and systematic way. There is no shortage of information security users who get misguided into thinking that just because the front door is locked, they can leave the side doors open, or just because the door is strong they can forget about bolstering the lock.
While following what is logical does not guarantee good security, it is clear that security can by no means be achieved in the absence of consistent logic. Being a follower of social science who had learnt economic philosophy at university, I have looked at the misguided logic that pervades the security industry and is accepted as the common knowledge. Here, I present some basic guidelines for the people involved in information security. (This paper was built on a thesis entitled Information Security Under Threat from Fallacious Logic and Misconceptions presented at the Convention of the Japan Society of Security Management held on June 18, 2005.)
1. Introduction: The very first step towards security is personal verificationThe means of personal confirmation, which identifies an individual (who is he/she?) or which verifies the identity of a person (is he/she the person who claims to be?), is the most fundamental of the elements underpinning our social life. If it is not properly handled, we would not be able to function as a society. This is also true in a networked society, and if user verification is not properly provided, even the most advanced encryption and effective security technologies will not work. In other words, personal verification is more than just one element technology in security, and is the very foundation upon which all the security measures can be built. It is a given condition for any security considerations.
During my time at Kyoto University’s Faculty of Economics, I belonged to Professor Yuuzou Deguchi’s economic philosophy seminar, where I sought to study decision making as economic activity, human behaviour in general, and rationalism in particular, in both philosophical and historical contexts. After working as an office worker in a blue-chip company and as a field worker on a civil engineering construction site, I gained experience in a wide variety of fields, which included consulting on international business development and mediating in technology transfer projects.
After 35 years of business experience filled with ups and downs, now at the age of 58, I at last feel that I am able to see people and society as they are, without relying on unrealistic or idealistic conceptions.
Probably having a vastly different background to many of those involved in the IT industry, I have attempted to look from my own perspective at the muisguided conventional wisdom and the illogical debate affected by technology-fetishism that pervades the information security industry and academia. The discussions entirely relate to personal verification.
2. Examples of misguided logic and my discussions
Misconception 1 – If one person can do it, anyone can do it: Passwords must be a random string of at least eight alphanumeric characters and need to be different for each account. They should be changed every few months, and they should not be written down anywhere.
Similarly, PINs (personal identification numbers) for each of our bank cards, credit cards, lockers, etc., should be all different, should be changed as often as possible and must not be written down and carried around.
Discussion: This is an argument that you hear everywhere, and is probably the most illogical of all these illogical arguments because basically it is saying that you will be safe if you do something that you cannot do! This is like saying that, if there are a few people in 100 that can do something, then all 100 must be able to do it.
I think there are very few people that would follow what someone said who had put together an emergency evacuation plan reading that, since some people can do one-handed chin-ups and run 100 meters in 12 seconds, all the residents are supposed to do the same. However, in the information security industry, you have no difficulty in finding those people who endeavour to strictly enforce such rules, and others that are either diligently following them or pretend to.
* Related topic - Security is improved by the three-time rule: The idea that security is improved by limiting the number of password input attempts to three times, for example.
Discussion: This is an armchair theory that does not take into account the fact that users are just ordinary people. By limiting the number of attempts to three, this just puts added pressure on users, which ultimately results in them either choosing the easiest possible PIN or carrying their written PIN around.
The idea is that restricting the number of four digit PIN input attempts to three times reduces the possibility of unauthorized access to 3 in 10,000. However, this is nothing more than wishful thinking that has resulted from ignoring the psychological nature of human beings.
A thief who knows this rule would stop after two attempts, go somewhere else and try another two times, so they can easily circumvent the three-time rule. On the other hand, if you tell a bank card user that they will not get access to their funds should they enter their PIN incorrectly three times, the user will try to pick a sort of four digit numbers that they are sure they will never fail to recall even in a hurry. There are very few possible 4-number combinations that people know that they can recall even if they only expect to use them once or twice a month.
As the scope of application of the three-attempt rule expands, users gradually feel more and more stressed, which leads more and more people to pick up the same PIN for their mobile phones as they have for their cash cards. There are cheap tools available off-the-shelf for deciphering mobile phone PINs, so a thief who has successfully stolen your mobile phone will have a good chance of stealing your money if your PIN is the same. The absent-minded operation of the three-time rule does nothing more than making thieves happy.
* Related topic – Letter-based passwords are cheap to use: Passwords are the cheapest form of personal verification available.
|Discussion: It is easy to see the operational costs associated with passwords. All you need to do is to stop touting the strict management of passwords but bring forward the questions of absolute liability. All that administrators need do is to announce that the responsibility for damage incurred by unauthorized access gained using a password shall rest with the owner of that password.|
This means that employees will be afraid to use passwords that are based on their personal information, as that information may be already known to their colleagues. Even if they try to hide their notes of passwords, there are very few lucky ones who are able to find a secret place around them at work unknown to their colleagues.
If they cannot use personal information or hide their written passwords, they will have to remember long and random passwords. If employees were just robots made of protein, the problem would have been solved. But, employees unfortunately being humans, requests for re-issuance of fresh passwords would erupt. It is said that it costs around 300 dollars a year to manage one employee’s passwords.
For every policy there is a countermeasure, which means that for every security policy that is being touted, there are many cases where this is falling on deaf ear. Administrators request employees to use different passwords that are long and inorganic for each of their accounts and change them frequently. Senior people hesitate to admit in front of juniors that this is something they cannot do, and just as the senior people would not admit they cannot do it, juniors could not either, the strict management of passwords by employees ending up being just superficial. What they cannot remember and recall, they will try to hide as a written note somewhere on/near their desks, but any good place that one person thinks is appropriate may well be the place that all the other people also think is appropriate. A situation emerges where all the employees are potentially sharing each other’s passwords.
This is typical of the situation we see in the sort of companies that just keeping touting a strict password management policy. There, just as in the companies where passwords are not managed at all, not only do they become victims of security breaches, but their password management costs are made invisible.
We need to note that, in many cases , passwords are used in conjunction with other verification methods that claim to be more economical than the costly password system.
There are actually such verification systems vendors that emphasize how expensive password management is, and then stress how inexpensive their particular product is by comparison. However, these products in reality depend on the parallel use of passwords.
This may not need any further explanation to the readers, but I would like to go into detailed analysis for regularity’s sake as follows;
A. Where α is the PIN (or password) management cost and β is the cost of using another product, the actual management costs associated with this product would be α + β.
B. This product claims that β < α. It goes without saying that both α and β are positive values.
C. For this product, [α + β < α] holds true.
This is a funny way of looking at it, but surprisingly enough, there are very many people who are actually convinced that these products are more economical than password systems.
Misconception 2 – Holding something is enough: It is difficult to safely manage bank card PINs, which means that PINs are not safe. But this is not to say that bank cards that comes with unsafe PINs are not safe. If the unsafe PINs are taken out of the equation, the bank cards should be safe, and therefore a method of using just the bank card without a PIN should be advocated to reduce card-related crime.
Discussion: Anyone should be able to see that this is nothing more than a joke. Then, what about the next argument?
‘It is difficult to safely manage passwords. Managers are provided with IC cards or USB keys on which passwords are stored, and the password is automatically transmitted when these cards are inserted. When people do not carry IC cards or USB keys , data cannot be accessed and security is protected’.
Without even getting too far into it, it is obvious that this argument is the same as saying that you can withdraw funds so long as you have a bank card with you. We actually see many cases where such measures are presented as grandiose-sounding countermeasures such as confidential data leakage prevention solutions and unauthorized access prevention solutions.
Misconception 3 – Making the door stronger makes the lock safer: The idea that if the lock on the front door is not strong enough, users make the door stronger. And then there’s no need to worry about the lock now that the door is more secure.
Discussion: In the physical world it is easy to see that making the door stronger is no replacement for making the lock stronger, but in the virtual world, we see many examples of this, where people seem to get caught up in the rhetoric as follows.
‘I installed PKI, as passwords are unreliable’. (PKI is password-based.)
‘I am worried about the weakness of PINs, so I use a two-layered security IC card that generates a one-time password’. (PINs are still used to verify the IC card holder.)
‘Because I was told that passwords are no good, I adopted a method whereby only those people that have mobile phone handsets that have passed one-time verification are granted access’. (What if the handset is stolen? It is protected by a 4-digit PIN.)
‘Because magnetic cards can be easily faked, I switched to using an IC card’. ( 4-digit PIN is used for operation.)
‘I am not worried about data leaks, as important data are stored in dispersed locations’. (Access by administrators with central authority is verified using passwords.)
Misconception 4. – An improvement in encryption strength leads to an improvement in security: If encryption strength is improved, this will provide better security.
Discussion: This holds true only if fail-safe measures to prevent the theft of encryption keys are in place. This argument needs certain prerequisites.
We need not point out the usefulness of encryption technology to protect data securely. However, the major sore point here is that no improvement in security through the use of encryption products will exceed personal verification capabilities. No matter how long the encryption key is, say, 64 bits, 128 bits or even longer, when passwords of only a few bit effectiveness or an equally vulnerable means are employed for personal verification, the overall security strength will only be equivalent to such a short bit length.
Another weak point relates to the management of encryption keys. Attackers that obtain the keys are not faced with 64-bit or 128-bit encryption. If encryption keys are stored and carried around in some sort of device, there is nothing that can be done should that device be stolen. If the keys are hidden within programs, all the users of the same device would be placed at risk should the attackers find out how the keys are concealed.
Therefore, it is imperative that if you are going to use encryption for strong data protection, due consideration must also be given to strengthening personal verification and key management at the same time.
Misconception 5 – Using a thin client is effective: If non-volatile memory media is installed in the terminal device, data leaks cannot arise even if the device is stolen.
Discussion: People need data for their job, so they need to connect to a server via network in order to work. If personal verification at the time of access is weak, this exposes all the information handled by that user to be freely viewed by a malicious attacker. In other words, this argument does not hold true unless personal verification at the time of access can be relied upon.
We need to realize that just using thin clients without any improvement in personal verification may only actually make them more vulnerable than if they were to store data on the devices with proper owner verification and encryption.
Misconception 6: Criminals don’t have the ability to learn: If a mobile device is lost, the data on it can be erased remotely, so it is safe to store confidential data on the device.
Discussion: Malicious people do have the ability to learn. When they steal a device, they may well have learnt to turn off the power and take it to a place out of range to try and steal the data, so there is no way this crime can be pevented by this method. On the other hand, legitimate users, believing what providers have told them, store large volumes of sensitive data on such devices, which could result in massive damage for them should these devices be stolen.