Armor Is Not Enough for Good IT Security

The value of conventional password policies is doubtful; users will always be the weakest link in IT security. Perhaps it's better to add remediation to the existing arsenal of firewalls, strong passwords and VPNs, and admit that your security measures, no matter how closely they adhere to best practices, can be bypassed by a motivated intruder.

I'm not sure if I learned anything useful from the revelation that someone had compromised Google's Gaia security system last December. Undoubtedly, the company is a prime target; perhaps the only two companies that might be more impressive scores in hackers' ongoing game of capture-the-server would be IBM and Microsoft.

On top of that, the way that Google's security was compromised wasn't terribly exciting. Oh boy, an engineer clicked on a link that led to a "poisoned" server; who hasn't done that? Even the most experienced of us have come close to doing something colossally dumb (with apologies to my friend Wayne Rash for stealing his line); I was there several months back, when I almost fell for the old "MacCinema Installer" exploit. Escaping from that unscathed gave me a feeling not unlike driving in the mountains, and hauling the car back on the road after nearly going off a cliff. Adrenaline's a helluva drug, as a cleaner Rick James might have said.

I've spent a good deal of time thinking about security in the weeks since I joined eWEEK's lab crew. That's partly due to being assigned a piece on identity management in the age of SAAS (software as a service), but also resulted from having to cope with a flurry of logins and passwords to various applications and systems; I stopped counting after the first dozen. After the second or third week, I was praying for a universal set of credentials that would just work everywhere. But that beast simply doesn't exist, outside of a James Bond movie; I might as well be asking for a unicorn. (That makes me wonder if Purina Unicorn Chow would be rainbow-colored, but I digress...)

In a previous life, I was responsible for IT security, and if I learned anything in that role, it's that humans are horrible at computer security. My users thought I was insane for requiring passwords at all, and when it came to the topic of rotating passwords and how strong passwords should be, I'm lucky I wasn't thrown from an upper-story window.

But my recalcitrant users had a point, one that kept crossing my mind as I was establishing my new digital identity as an eWEEK employee, every time I reused one of my easy-to-remember, hard-to-guess passwords. The users couldn't see the point behind my password policies, and had more important things to do with their brains than to figure out a new password for every site every three months. The funny thing is that I'm now on their side of the discussion.

Humans trust, in part, because it comes naturally to most of us. We fall for some of the simplest attacks because we just can't believe that we would ever be their victim. On top of that, good IT security is hard work. If IT security god Bruce Schneier regularly breaks seven of 10 often-cited rules for password security, as he admitted last year, imagine what Joe User is like.

At some point, IT policymakers must recognize that they're fighting an unwinnable war by insisting that users stick with unworkable rules for passwords. It doesn't help the image of IT as authorities on security when our own tools betray us, as they did recently when an incompletely tested antivirus update from McAfee shut down the computers run by California's state government, and those of many other organizations.

RedMonk analyst Michael Cot??« was onto something when he told me that IT security needs to add remedial services to its repertoire. Since security breaches are inevitable, damage control is perhaps more important than ever; it's too bad that Google learned this the hard way.