Plausibility Dread Novelty Compromise

Plausibility + Dread + Novelty = Compromise

People want security, but they don't want to see it working. And when it gets in the way some people go to great lengths to disable or circumvent it. Yet, as Bruce Schneier explains very well in two of his books, [17] good security relies on the interaction of people with computers to make security decisions: checking the name on a digital certificate, avoiding the allure of e-mail worms with sexy subject lines, scrutinizing JavaScript warning dialogs.

[17] Secrets and Lies and Beyond Fear are both excellent reading.

In many instances when interacting with security systems, people are transferring their volition to a software program. Are you really signing that e-mail? Of course notyou're asking the computer to apply a digital signature on your behalf . What if volition can be forged? Say a Trojan horse feeds a malicious document into the signing system when the key is opened to sign something else. We don't know of any attack like this right now, but could it happen?

Humans are poor exception handlers. They just want to get their jobs done and quickly grow frustrated when the computer becomes uncooperative. Computer mistakes are rare, and when they do happen, people simply don't know how to deal with them. They often disable or ignore alarms (this is why we don't really like intrusion detection systems all that much, they often go ignored) and rarely read the complete text in dialog boxes. Admit itwhen you see a dialog like this:

Figure 5-1. Warning dialog box for an outbound connection.


Doesn't your mind really process this instead:

Figure 5-2. Prototypical mental substitution of warning dialog box text.


Maybe you read and understand the actual question, but most people don't. Asking users whether they want to be infected has always proven to at best delay the problem. Given a sufficiently tempting selection of dancing pigs, and sufficiently detailed instructions for how to make them appear, users invariably find ways to circumvent just about any security measure you put in place.

Attackers know all about how people are vulnerable and have no qualms taking advantage of mistakes and fears. Learn and understand their techniques so that you can properly configure your people to build the strongest human defensive layer you can.



Protect Your Windows Network From Perimeter to Data
Protect Your Windows Network: From Perimeter to Data
ISBN: 0321336437
EAN: 2147483647
Year: 2006
Pages: 219

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net