Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

10/9/2019
02:00 PM
Lysa Myers
Lysa Myers
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

A Realistic Threat Model for the Masses

For many people, overly restrictive advice about passwords and other security practices is doing more harm than good. Here's why.

I'm one of those people who has made fun of password books for being an example of horrible security practices. But I'm starting to realize that I was wrong. For some people, overly restrictive security advice is doing more harm than good. For those who can't easily navigate more secure solutions, writing a password down and keeping it locked up in your home is far better than reusing passwords.

While threat modeling is something we often ask businesses to do to determine the level of risk posed by certain vulnerabilities, we seldom ask individuals to do the same thing. Instead, we just give everyone the same sort of blanket suggestions, often implying that it's necessary for everyone to protect themselves against state-sponsored attackers.

This can lead to people devaluing threats that realistically could come from within their own homes, such as in the case of domestic abuse, which in this day and age almost invariably includes monitoring the victim, including online. Bottom line: When hurdles are so massive that using computers becomes impossibly difficult, people give up, opting instead to do as little as possible to protect their data and devices.

This is definitely a case where "perfect is the enemy of good."By dissuading people from using more convenient and usable security methods, we're discouraging them from taking any meaningful steps toward a safer Internet experience. Here are a few other examples of things I frequently hear security practitioners warn laypeople against:

Biometrics
Authentication will be a recurring theme here: Usernames and passwords are really not sufficient by themselves anymore, especially because people do such a poor job with them on the whole. We all have dozens (if not hundreds) of accounts that require a login, and it is simply not reasonable to expect people to remember strong, unique passwords for that many accounts.

Many people "solve" this problem by choosing crummy passwords, or reusing one password for every account, both of which are horrible solutions to the problem. Many of us suggest password managers, which can be a great solution for a lot of people. But there's also those security practitioners who pooh-pooh this option because it's "imperfect" to have a single point of failure, or because sometimes password manager products have vulnerabilities, or whatever other frustrating reason.

While biometric authentication can certainly be circumvented, it beats the heck out of using a weak password, reusing a password, or using no password at all.

SMS for 2FA
We've all heard about the various ways that two-factor authentication (2FA) can be broken by a sufficiently determined adversary. That's something for security practitioners to be aware of, so we don't get complacent. But for the average person, a 99% success rate against account takeovers is really quite sufficient. We all need to be using 2FA wherever it's available, in the most secure form we can get. If that form is "just" SMS, it's a whole lot better than just using a username and password alone.

Legacy Security Products
Regardless of what operating system people are on, or what particular type of security product works best for their situation, everyone needs something that helps protect against malicious code. If I had a nickel for every time I heard someone say that "antivirus is dead" because it doesn't detect 100% of new attacks, I'd be having a very fancy lunch right now. I won't even get into the arguments over "next-gen" versus established anti-malware products, or the old trope that "Macs don't get malware," or instances where security products were found to have vulnerabilities.

Charging Cables
The caution against using someone else's charging cables came up again just recently. While I would probably still advise people against charging in any old charging station — particularly ones in public spaces — I wouldn't go so far as to say you should never borrow a charging cable at all. If you trust someone well enough to travel with them, or work with them or something along those lines, you should be OK if you borrow their charging cable.

Frequent Password Updating
"Passwords are like underwear. They should be kept private and changed frequently." I'm delighted to announce that we all need to stop using this underwear analogy. NIST announced two years ago that we need to move away from asking people to periodically change their passwords, or enforcing complexity requirements. While we're at it, can we also stop preventing people from copying and pasting passwords, too? I honestly don't know what threat this is supposed to prevent; in practical application, it only seems to prevent the use of password managers.

I suspect the instinct to tell people why they shouldn't use "imperfect" security practices is, at least in part, to demonstrate how l33t we are. But this practice is making the Internet a much less usable place, and we need to bring that to an end. People should use whatever methods allow them to move the needle toward a safer surfing experience meaningfully, given their own particular threat model.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Can the Girl Scouts Save the Moon from Cyberattack?"

Lysa Myers began her tenure in malware research labs in the weeks before the Melissa virus outbreak in 1999. She has watched both the malware landscape and the security technologies used to prevent threats from growing and changing dramatically. Because keeping up with all ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Ziyon
100%
0%
Ziyon,
User Rank: Apprentice
10/10/2019 | 5:24:02 PM
Any new technology available in the market?
The Lysa Myers' text meets the market need to be shaken to wake up and face a reality that can no longer be ignored. There are new technologies like iPification that claims to be the future today. It's a matter of early adoption, so we can verify if this technology delivers what they say and compare the benefits.
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
6 Small-Business Password Managers
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/8/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4108
PUBLISHED: 2019-11-14
Multiple unspecified vulnerabilities in Cryptocat Project Cryptocat 2.0.18 have unknown impact and attack vectors.
CVE-2018-12207
PUBLISHED: 2019-11-14
Improper invalidation for page table updates by a virtual guest operating system for multiple Intel(R) Processors may allow an authenticated user to potentially enable denial of service of the host system via local access.
CVE-2019-0117
PUBLISHED: 2019-11-14
Insufficient access control in protected memory subsystem for Intel(R) SGX for 6th, 7th, 8th, 9th Generation Intel(R) Core(TM) Processor Families; Intel(R) Xeon(R) Processor E3-1500 v5, v6 Families; Intel(R) Xeon(R) E-2100 & E-2200 Processor Families with Intel(R) Processor Graphics may allow a ...
CVE-2019-0123
PUBLISHED: 2019-11-14
Insufficient memory protection in Intel(R) 6th Generation Core Processors and greater, supporting SGX, may allow a privileged user to potentially enable escalation of privilege via local access.
CVE-2019-0124
PUBLISHED: 2019-11-14
Insufficient memory protection in Intel(R) 6th Generation Core Processors and greater, supporting TXT, may allow a privileged user to potentially enable escalation of privilege via local access.