Overcoming the Equation: Security = Friction

Why does security have to be so onerous? Is this password secure enough: Mxyzptlk? Wait, that might be vulnerable to a comic book dictionary attack (bonus points for Superman fans), so let’s add some numbers and special characters: M4xyZ!ptL#K. Not bad, but suppose policy requires 12 or more characters; we have to pad the password: 0M4xyZ!9ptL#K. Now that’s secure – good luck remembering it!

Small wonder the National Institute of Standards and Technology is now considering abandoning its standards for password complexity, arguing that with the rise of supercomputers, even complex passwords are too easy to guess to make them safe for securing anything really valuable.

We’ve migrated to a user ID and password society; as we’ve added layers of security, we password-protect each layer: PC (and now device), network, enclave, application, database, and storage (encryption). Don’t use the same password for everything, because if the bad guys crack one, they own you. We’re not done yet, though – badges for physical access, PKI, USB keys, SmartCards, soft certs, biometrics, Network Access Control, firewalls, IPS/IDS, SIEM … I could go on and on.

As administrators try to simplify the user experience and reduce friction, the cost for security goes up. User IDs and passwords are almost free. It’s much easier to use biometrics or a SmartCard to identify yourself to a system or application. However, those solutions require fingerprint readers, better encryption, key management programs, and card provisioning systems, all of which translates to more costly security infrastructure — and more people needed to manage it.

A telling example is the Department of Defense and its approach to mobile security. After investing in deployment of secure physical and cyber access via the Common Access Card (CAC), it made sense to leverage that investment in the mobile realm. However, to use CAC with an Apple iPhone, you need to buy a sled – an iPhone case with integrated card reader. The sled solution works well, but costs more than the iPhone!

Secure computing behavior can be ingrained into users, but it has to be built into both policies and culture. Working in secure government spaces for over 30 years, I lock my computer screen at home whenever I step away, have a strong password on my WiFi network, encrypt sensitive personal data, and have mirrored hard drives in my Network Attached Storage (NAS) device. However, that behavior is somewhat “old school” and the product of a very focused environment. Today’s computing culture is characterized by instant-on, always on, and always connected. Anything that slows you down, like having to enter a PIN to unlock your phone, is considered friction.

How do you decide what products, technologies and/or solutions to apply to security threats and vulnerabilities? There have been fairly specific demarcation categories up until now – endpoint security, perimeter security, data security. Those categories have exploded (email security gateways, packet capture analysis, DNS security, etc.) and blurred (firewalls that do endpoint security, database security products that detect insider threats, etc.).

Hewlett Packard Enterprise (HPE) and FireEye have come up with an engaging way to consider these issues in a business context – the Security Challenge! The game presents a threat scenario, e.g. a DDoS attack or spear phishing incident, and a budget to expend as you see fit to counter the threat. A simulated attack will then show you how well (or not so well) you’ve protected your enterprise, with some recommendations on how you could have done better.

Can we overcome the friction of security? As more computing devices and sensors become integrated in our daily lives, security becomes even more critical in protecting our privacy and safety. We have to develop security methods that are easy to use, yet provide sufficient protections to keep us safe. Games like the Security Challenge can help us better understand the pros and cons of a security solution as they apply to an organization’s mission, hopefully creating the equation: Modern Security = Frictionless.