Good security
2012-04-25At my former job, I was involved with a group called the SWAG - The Secure Web Applications Group. One hotly debated topic was identity management and central authentication. For months the SWAG discussed plans we could implement to improve the security of our network and the various web applications that run on our network. Of course, this is a group of computer nerds. So we discuss things like how to properly salt your SHA2 password hashes, which database abstraction to use in order to avoid SQL injection, and the best way to prevent session hijacking. These things are important, but also highly technical. It struck me that sometimes we focus too much on the technology, and we miss the simple yet often more dangerous security vulnerabilities: human beings.
For example, a faculty member asks me to help them with their email. Nine times out of ten, and this was one of the nine, the problem is a forgotten or expired password. A quick call to the help desk to change the password and voilá, the spam cometh forth. Did you catch the potential security problem? Did the help desk ask me to verify my identity? Nope. He fired up his management console, asked me for the password I would like to set, (another security problem) and boom, password is changed. I could have easily told the guy I wanted to change the password of the president's exchange account and he probably would have done it. I wasn't even trying that hard either. I could have made up some grand story like "Hi, this is Sam over in the president's office. I'm providing on site technical support for the president, whose laptop was recently run over by a maintenance van. The president can't remember her password and it was saved on her now flattened laptop. Could you change her exchange password to 12345? Thanks!" (I realized later this probably wouldn't have worked because the help desk has caller ID.)
This got me thinking, what's the point of implementing the most cutting edge security measures if I can circumvent them completely with a phone call? Good security has to include educating staff about clever social engineers and having great technology. I actually had a faculty member respond to a phishing attempt thinking it was central IT, and when I looked at the email, it took me a second to realize it was a fake. The giveaway was a technical detail about our network that was way off in the email, but the victim could not have known such a detail. As technology specialists, we have to be vigilant about the more organic security vulnerabilities, and sometimes that means we have to come up out of the depths of uber-nerd world and think about normal people.