Users Are Not The Enemy A. Adams and M. A. Sasse Presenter: Jonathan McCune Security Reading Group February 6, 2004.

Slides:

Advertisements

Similar presentations

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

Advertisements

Implications and Security Issues of the Internet By Neelesh Patel.

Two-Factor Authentication & Tools for Password Management August 29, 2014 Pang Chamreth, IT Development Innovations 1.

Access Control Methodologies

Performance Appraisals How Not to Hate Them. Why We Hate Them 1. They are a lot of work. Going back over the last year, remembering the highs and lows.

James Tam Computer Security Concepts covered Malicious computer programs Malicious computer use Security measures.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

Public Works and Government Services Canada Travaux publics et Services gouvernementaux Canada Password Management for Multiple Accounts Some Security.

05-899/ Usable Privacy and Security Colleen Koranda February 7, 2006 Usable Privacy and Security I.

Lecture 1 Page 1 CS 236, Spring 2008 What Are Our Security Goals? Confidentiality –If it’s supposed to be a secret, be careful who hears it Integrity –Don’t.

1 Enterprise Security Your Information Security and Privacy Responsibilities © 2008 Providence Health & Services This information may be replicated for.

Password Management Strategies for Online Accounts Gaw & Felten Optional Reading.

Social Engineering PA Turnpike Commission. “Social Engineering is the practice of obtaining confidential information by manipulation of legitimate users”

Identity Management, what does it solve By Gautham Mudra.

Risk Management Vs Risk avoidance William Gillette.

Property of Common Sense Privacy - all rights reserved THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.

Charlene Li Research Director Forrester Research NET Board Presentation.

Ambarvale Public School Technology Committee 20 June 2012.

Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.

Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

Matt Maher & Sreeja Nomula 1.  Define ◦ Education ◦ Training ◦ Learning 2.

PHISHING AND SPAM INTRODUCTION There’s a good chance that in the past week you have received at least one that pretends to be from your bank,

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Copyright 2010, The World Bank Group. All Rights Reserved. Testing and Documentation Part I.

Steven A. De Jong, M.D. Professor of Surgery Vice Chair for Clinical Affairs Department of Surgery Loyola University Medical Center.

Positive Behavioral Support Shawnee Mission Horizons Alternative High School Year 1.

SECURITY POLICIES Indu Ramachandran. Outline General idea/Importance of security policies When security policies should be developed Who should be involved.

Chapter 4.  Can technology alone provide the best security for your organization?

Enforcing Concurrent Logon Policies with UserLock.

Staying Safe Online Keep your Information Secure.

The Internet for Beginners Section Four of Four From the Richard Sugden Library Spencer, MA Jillian M. Parsons.

 INADEQUATE SECURITY POLICIES ›Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA.

CSC-682 Advanced Computer Security Analyzing Websites for User-Visible Security Design Flaws Pompi Rotaru Based on an article by : Laura Falk, Atul Prakash,

Information Assurance Policy Tim Shimeall

Learning Organization “Without learning, the wise become foolish; by learning, the foolish become wise." Presented by : Anuj Kumar Agrawal Amandeep Singh.

Improving Quality of Service with Knowledge Management in Law Firms.

Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech Designing for Privacy Human factors and system’s engineering Usable Security – CS.

BEST GROUP CONSULTANTS Lesson Department Information System.

1 Technical & Business Writing (ENG-715) Muhammad Bilal Bashir UIIT, Rawalpindi.

Financial Aid TRAINing Presented by: Kimberly Stanbridge Lansing Community College (LCC) Financial Aid Department Friday, September 25, 2015.

Electronic Surveys Inquiring With Authentic Language By: Hanan Al-Tamimy.

Securing Passwords Against Dictionary Attacks Presented By Chad Frommeyer.

November 19, 2008 CSC 682 Do Strong Web Passwords Accomplish Anything? Florencio, Herley and Coskun Presented by: Ryan Lehan.

Web Search Essentials. Search Engine  Search engines are specialized websites that can help you find what you're looking for.  popular ones— Google,

Lecture 1 Page 1 CS 236 Online What Are Our Security Goals? CIA Confidentiality –If it’s supposed to be a secret, be careful who hears it Integrity –Don’t.

Assumptions of Secure Operation University of Sunderland CIT304 Harry R. Erwin, PhD.

Adjunct Meeting 5/4/2014. Finance Curriculum My observations Students especially traditional students are distracted. TAP students are tired. TAP students.

Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.

Meridian Career Institute presents A Learning Resource Center Seminar.

Systems Analyst (Module V) Ashima Wadhwa. The Systems Analyst - A Key Resource Many organizations consider information systems and computer applications.

Lecture 15 Page 1 CS 236 Online Evaluating Running Systems Evaluating system security requires knowing what’s going on Many steps are necessary for a full.

Presented by… The Solutions Group. Two basic aspects of the 4 Communication Styles Expressiveness Assertiveness Your Communication = Awareness + Situation.

Access Control for Security Management BY: CONNOR TYGER.

Security Education, Training, and Awareness Programs Jeff Summits.

Computer Security Sample security policy Dr Alexei Vernitski.

Risk Controls in IA Zachary Rensko COSC 481. Outline Definition Risk Control Strategies Risk Control Categories The Human Firewall Project OCTAVE.

Lecture 2 Page 1 CS 236 Online Security Policies Security policies describe how a secure system should behave Policy says what should happen, not how you.

Transform Your Sales Training

Authentication Schemes for Session Passwords using Color and Images

Password Management Limit login attempts Encrypt your passwords

How to build a good reputation online

Att login problem Att hacked account Att password recovery Att customer service.

Audit Findings: SQL Database

Why ISO 27001? Subtitle or presenter

Cyber security Policy development and implementation

Why ISO 27001? MARIANNE ENGELBRECHT

What Are Our Security Goals?

Anna Adams Martina Angela Sasse

Presentation transcript:

Users Are Not The Enemy A. Adams and M. A. Sasse Presenter: Jonathan McCune Security Reading Group February 6, 2004

2 Introduction Users have too many passwords Misunderstand different security properties How many different logins do you use every day? Here are a few screenshots from sites I use almost every day…

3 WebISO

4 Root Passwords

5 Group Website Passwords

6 Student Services

7 Yahoo Mail

8 Developer Support

9 Club Activities

10 Preliminaries Identified problems: –Insecure work practices –Low security motivation This paper identifies the cause Focus on passwords for authentication Analyze rationale behind security policy Results from: –Interviews with Users and Administrators –Web questionnaire Finish with recommendations

11 The Problem “Users … perceive many security mechanisms as laborious and unnecessary – an overhead that gets in the way of their real work.” “… security departments typecast users as ‘inherently insecure’: at best, they are a security risk that needs to be controlled, at worst, they are the enemy within.”

12 The Problem SysAdmins perceive users as ignorant regarding security Users often do not understand rationale behind password security –Mechanisms annoying or unnecessary –Who would guess my wife’s maiden name? SysAdmins think users do understand security and that they intentionally disregard it Result: Reduced effectiveness of security mechanisms in practice, or even hostility!

13 Users Lack Security Knowledge Need-to-know principle has negative impact on security Users do not understand rationale behind security policy Example: –Private data viewed as sensitive –Commercially sensitive information (customer databases, financial data, …) thought to be less sensitive Policymakers must educate users!

14 Users & Security Policy Users left out of policymaking process Construct their own models of security threats – often wildly inaccurate Positive feedback on printed document techniques: –Confidential –Not for circulation Users will comply with a straightforward policy that they understand

15 Too Many Passwords Users often complain about having too many passwords, therefore –They write them down –They use the same password for multiple systems (Yahoo , corporate , online banking) –They use related passwords (name1, name2, …) A break on one is a break on many Exacerbated by password expiration –Password lifetimes must be chosen carefully

16 Too Many Passwords Recall last week’s presentation… It may be easier for an attacker to spoof the Yahoo mail website than a bank’s Even if passwords are distinct, users can become confused and enter the “other” password I do this a lot –When I forget a password, I tend to try passwords that I use on other sites

17 Password Ownership Associates the password used to access a system with the actions performed Audit trail yields increased accountability for users and their actions –Reduces likelihood that users leave their passwords accessible to other employees Enhances the sense of team for groups Reduce illicit usage General increase in security awareness

18 User Password Education Inadequate knowledge of password procedures, content, and cracking Concepts of a secure password –Resistant to dictionary attacks –Keep it a secret – don’t tell others –Don’t write it down Stop misconception: “What are the chances of a complete stranger guessing ********?” Perceived low risk to cracking because their role in the organization is not important Treated user IDs like passwords

19 Sloppiness Spreads More to passwords than just choosing good ones Users forced to use too many passwords or hard-to-remember passwords behave insecurely, i.e., write down passwords Lowers users’ regard for security arrangements and policies Leads to increased password disclosure

20 Unworkable User Behavior Poor security mechanisms create overhead Makes it hard for users to do their job Many users try to circumvent security Cognitive overheads introduced by security mechanisms reduce users’ motivation Policies based on FIPS are not influenced by communication with users – bad

21 Policy Improvements Summary Policymakers must understand users’ knowledge and skill level –User education, publicize policy Consider single-sign on Password ownership User-centric approach to security Need-to-know is not always a good idea Accept that users can be motivated to behave in a secure manner

22 Password Recommendations Constructing secure passwords requires: –Training to combine secure with memorable –Interactive password selection process No more than 4 or 5 passwords Users must perceive need for security –If organization doesn’t take it seriously, users won’t either Password mechanisms must not get in the way of worker productivity

23 Conclusion “System security is one of the last areas in IT in which user-centered design and user training are not regarded as essential – this has to change.”

24 Questions? Thanks for your attention