Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Humans Continue To Be "Weak Link" In Data Security

CmdrTaco posted more than 4 years ago | from the handcuffs-please dept.

Security 117

ChiefMonkeyGrinder writes "Nearly 90 percent of IT workers in the UK have said a laptop in their organization has been reported lost or stolen, new research has found. Sixty-one percent said that this then resulted in a data breach, according to the '2010 Human Factor in Laptop Encryption Study: United Kingdom,' a report produced by the Ponemon Institute for Absolute Software."

cancel ×

117 comments

Sorry! There are no comments related to the filter you selected.

But humans can also forget... (0)

Anonymous Coward | more than 4 years ago | (#31480676)

I guess for security, forgetting is best. :P

Hmmm ... (4, Funny)

WrongSizeGlass (838941) | more than 4 years ago | (#31480684)

If only there was a way to remove humans from the equation ... can you say Skynet?

Re:Hmmm ... (1, Funny)

Anonymous Coward | more than 4 years ago | (#31480872)

Kill all humans!
                Bender the robot

Humans Continue To Be 'Weak Link' (1)

jack2000 (1178961) | more than 4 years ago | (#31481090)

In other news, carbon based lifeforms require nutritional sustenance.
Come on people! Enough of these filler stories!

Yes (5, Funny)

rolando2424 (1096299) | more than 4 years ago | (#31481148)

Skynet

Re:Hmmm ... (3, Interesting)

The_Wilschon (782534) | more than 4 years ago | (#31481352)

Better if you could remove data mobility from the equation. If somebody leaves their laptop in an unlocked office or a box of hard disks in the back seat of their car, it's quite likely to get stolen. So, knowing that that sort of thing will happen, it seems to make sense to force all sensitive data to be stored on physically and cyberly(just woke up, can't think of the proper word here, nurrrr) secured file servers.

Re:Hmmm ... (0)

Anonymous Coward | more than 4 years ago | (#31482000)

then refrain from posting until you can coherently make a sentence.

Re:Hmmm ... (0)

Anonymous Coward | more than 4 years ago | (#31482190)

This is why many of my customers use Citrix XenApp or Xendesktop or VMware View on a thin client laptop. People steal the laptop, there's no data to worry about.

Re:Hmmm ... (1)

nospam007 (722110) | more than 4 years ago | (#31482806)

Actually most of them forget them in the Underground, which is a series of tubes

FULL DISCLOSURE - Absolute Software (1, Insightful)

Anonymous Coward | more than 4 years ago | (#31481490)

Absolute Software - The absolute best way to track, manage and protect your digital world.
Tracking software to aid recovery of lost or stolen computers. Also software for hardware/software inventory and software license management.

There's a reason why Absolute Software is talking this up...

Just sayin'

Re:FULL DISCLOSURE - Absolute Software (1)

Fred_A (10934) | more than 4 years ago | (#31481956)

There's a reason why Absolute Software is talking this up...

Just sayin'

I thought it was "Ponemon software says 'Laptops ! Collect them all !'"

Oh, wait, PoNemon... sorry.

Re:FULL DISCLOSURE - Absolute Software (0)

Anonymous Coward | more than 4 years ago | (#31483620)

Sure, but the research was done & published by the Ponemon Institute, a well-respected independent IT security think-tank.

http://www.ponemon.org/index.php [ponemon.org]

...In other words, it sounds like Absolute didn't just pay some guy down the hall to just make up some numbers.

Skynert (1)

Toze (1668155) | more than 4 years ago | (#31483846)

Oh, damn.

Usernames in browsers (3, Interesting)

Sigma 7 (266129) | more than 4 years ago | (#31480730)

I noticed that browsers have a neat habit of storing userames that you've used on various sites, and help pre-fill the username field with that information.

It would be much more helpful if those usernames didn't bleed across servers; it would really cut down on potential exploits, and helps me remember which one of my usernames for a given site is correct (especially before I crack open the encrypted volume to lookup the real username/password combo.)

Re:Usernames in browsers (1)

somersault (912633) | more than 4 years ago | (#31480770)

especially before I crack open the encrypted volume to lookup the real username/password combo.

I hope you can get into it faster than I did - it took me almost two hours to crack that thing!

Re:Usernames in browsers (1)

clemdoc (624639) | more than 4 years ago | (#31480816)

Another neat feature in some browsers is that you can switch off this helpful password storage feature. But if you store your password on an encrypted volume, you certainly know this.

Security Failings (5, Insightful)

Y2KDragon (525979) | more than 4 years ago | (#31480740)

Strong password requirements are a big part of the problem. We can teach people how to make more complicated passwords. But the draconian policies set by some sites makes it almost impossible to maintain any degree of security. Make the password requirement difficult enough, and people HAVE to write it down and keep it in an insecure location just to make it usable.

Re:Security Failings (3, Interesting)

somersault (912633) | more than 4 years ago | (#31480856)

Then have them store it in a more "secure" location like in their wallet or their keyring. Some people can't even look after those adequately of course.. but at least you'll know if you've lost them that you should change your passwords.

Re:Security Failings (1)

drinkypoo (153816) | more than 4 years ago | (#31481552)

I haven't lost my wallet in years (*knockonparticleboard*) so it's a good place for me to keep a password until I memorize it. Then I burn the paper it's on in my wood stove. This is probably way too much trouble to go to. I'm considering some kind of password safe, but the only digital device I carry on me regularly is a crappy motorola phone which can only just run a MIDlet.

Re:Security Failings (0)

Anonymous Coward | more than 4 years ago | (#31483186)

If you've lost your wallet that holds your password, how are you going to get in to change the password?

Re:Security Failings (1)

somersault (912633) | more than 4 years ago | (#31483624)

Password resetting type services or phone calls to your bank etc if it's online, or if it's for work then phone up IT.

Re:Security Failings (1)

Whalou (721698) | more than 4 years ago | (#31480864)

A policy I had to follow on one site required the use of a minimum of 2 lower caps, 2 upper caps, 2 numbers and 2 special characters.

I'm sure a lot of users had the password q1W@e3R$ which is probably the easiest password to remember that fulfilled the requirements. And therefore easy to guess if the password policy is known.

Re:Security Failings (0)

Anonymous Coward | more than 4 years ago | (#31481118)

i have that on my luggage

Re:Security Failings (0)

Anonymous Coward | more than 4 years ago | (#31481166)

Oh yeah because qwQW12!" would be way harder. q1W@e3R$ is definitely the easiest.

Re:Security Failings (1)

socsoc (1116769) | more than 4 years ago | (#31482046)

I have no idea why that would be the easiest. The pass is nothing personal or memorable. You just happen to like the left side of your keyboard. It's similar to having the password of asda.

Re:Security Failings (0)

Anonymous Coward | more than 4 years ago | (#31480884)

The employment site a very large US defense contractor is like that and its got to be changed every couple of months. I always for the pw and the where the paper is where I write it down. I don't want to mention Lockheed's name so keep that in mind.

I'm constantly having to have the pw reset. If they're tracking that, that may explain why they haven't called me. :-(

Anyway, I got a Chinese lesson to go to.

Re:Security Failings (3, Informative)

buruonbrails (1247370) | more than 4 years ago | (#31480974)

It's because people tend to think of their passwords as words, not phrases. It's much easier to remember a simple pass phrase (e.g. "Quick_brown_fox"), than a shorter, but completely senseless random symbol combination (e.g. "gsf12mU&*").

Re:Security Failings (4, Insightful)

Sycraft-fu (314770) | more than 4 years ago | (#31480990)

Not only making it too hard, but making changes too frequent. If someone has to change their password once a month, they will have trouble remembering it. They'll make it as simple as the security will allow and write it down (maybe multiple places).

What it comes down to is if you feel the data you are protecting is important enough that it needs to have a complex password and such, what it really needs is two factor security. Something like a SecureID token or whatever. That makes it near impossible to break in as you have to get the password AND the token and you have to make use of it before the token's absence is noted.

Being a jerk about password policy is no replacement for a better security system over all, and in fact can make your stuff less secure than you think. You are ultimately dealing with people and as such you can't expect them to be perfect with their memories. You need to adapt your security to them, not demand they adapt.

You also have to simply accept that there's no such thing as perfect security. You can't have a system that can't be broken no matter what. Thus you need to make it as good as you can, have defense in depth (multiple security layers such that if one is breached not everything is bypassed), and remain vigilant.

Re:Security Failings (4, Insightful)

vlm (69642) | more than 4 years ago | (#31481112)

Not only making it too hard, but making changes too frequent.

You always know you're dealing with someone incompetent when that's a requirement.

You need to change your pass code on door locks because the used digits begin to look physically different than the unused digits.

You need to change ENCRYPTION KEYS occasionally to avoid known plaintext attacks, some MITM issues, and some other esoteric stuff.

Encryption keys and door passcodes are kind of security related, and login passwords are security related, therefore they must be the same (if you're stupid) so you must change your login password on a regular basis.

Some people confuse two of the A's in AAA. Login passwords are for "authorization". "Accounting" is where you catch multiple people using the same login, not "authorization".

Finally there's the idiots that think good security must be inconvenient, therefore ANYTHING inconvenient must inherently be secure.

The only reason you have to change your password on a regular basis is basically, stupid people quoting other stupid people saying its important because they heard other stupid people saying it, aka an urban legend. Nothing more.

Oddly enough the same morons whom claim changing passwords increases security, also believe biometrics are more secure because you can't change your fingerprint... or can you?

Re:Security Failings (1)

The_Wilschon (782534) | more than 4 years ago | (#31481402)

Some people confuse two of the A's in AAA.

Oh yeah, I get Americans and Automobiles [aaa.com] mixed up all the time.

Re:Security Failings (1)

apoc.famine (621563) | more than 4 years ago | (#31483446)

You're wrong, actually.

The theory is that if someone cracks your password, if you're forced to change it every month, they'll only have, on average, 2 weeks to exploit it.

In reality, you're correct that it's not so useful. In the case of a non-admin account, with enough auditing and proper permissions so that it's not possible to insert a keylogger nor take control of the machine, this works well. It works against a "got a temp job as a night janitor and walked around writing down passwords taped to monitors" or a "ran a dictionary attack against all the logins" under the previous scenario. But that's a very, very small subset of computer setups.

So you're incorrect that such a requirement means that "you're dealing with someone incompetent"; there are valid reasons for such a policy. In practice, you're correct, as it's likely not a useful policy, and you're likely dealing with someone incompetent.

Re:Security Failings (1)

JasterBobaMereel (1102861) | more than 4 years ago | (#31481652)

Security : Pick any two
Something you know
Something you have
Something you are

Unfortunately these are :
something you forget
something you lose
something you cease to be

Re:Security Failings (1)

tlhIngan (30335) | more than 4 years ago | (#31482644)

Not only making it too hard, but making changes too frequent. If someone has to change their password once a month, they will have trouble remembering it. They'll make it as simple as the security will allow and write it down (maybe multiple places).

Actually, it happens in stages. The first few passwords are nice and secure. Then the next time around they're forgotten and the password is reset, and it's written down. After a few more months of that, the guy will choose a password according to some algorithm

Monthly ones are fun, because you can get upper case, lower case, and numbers easily:

January2010, Feburary2010, March2010, ..., December2010, January2011, ...

How about a symbol?

January@010, February2)10, March20!0, ... (number is shifted)

Yes, very secure.

A better way would be to use something like apg that generates pronouncable passwords that have numbers/letters/caps, maybe a symbol, and re-issue it to the staff no more often than yearly. Print it out on newsprint or other paper that degrades after a month, by which time muscle memory would store the password. The only time password changes are more frequent is if there's a deliberate attack (which your servers log, right?)

Re:Security Failings (1)

houghi (78078) | more than 4 years ago | (#31483314)

It is not only passwords, but also usernames. I use some 10 different usernames. Most of them are variations of my first and last name, but in different order, but some are not. They are given by sites or departments and sometimes I am not able to change the login and/or the password.

The worst changing of password I had was where I needed to change every week.

At a place I used to work I conviniently 'forgot' my new password each month. IT did a reset and I was able to re-use my password again. Now I change about 7 passwords every month the first of the month, but one has an expiration date of 30 days (instead of 31).

So yes, I also do have a file with URL or filename, logins and passwords.

Re:Security Failings (5, Insightful)

L4t3r4lu5 (1216702) | more than 4 years ago | (#31481024)

Make it long, make it simple.

Passphrases are the way forward. Ih4t3MSoft may well satisfy Microsoft's Secure Password policy of 7 characters, one upper, one lower case, one non-alphabetical. However, it's nowhere near as secure (from a brute-force perspective) as ihaterubbishmicrosoftsoftware.

N.B. Not Anti-MS trolling, just picking phrases as they come to mind.

Well..... Maybe (2, Informative)

Sycraft-fu (314770) | more than 4 years ago | (#31481510)

If you know nothing about the password at all, yes it can be more secure. However, if you know it is a passphrase, then you can work on it as such. Rather than brute forcing using character combinations, you use work combinations. Maybe your program also has grammar rules in it so it can make more intelligent choices in words. Of course against that you can start doing letter substitution but then you start having complexity problems again and so on. Also there's the problem of someone finding out your password, if it is very complex even if they see it they may not be able to remember it, but a phrase may be no problem. Etc.

What it comes down to is there's only so secure a password can be. How secure largely depends on the individual. Some people can handle long, complex, passwords. Others need things real simple.

Hence why, as I noted in another post, if the data you are securing is really so important, get two factor security. You can't force humans to be good with passwords so don't try. Use passwords as a part of a better security solution.

Re:Well..... Maybe (1)

Culture20 (968837) | more than 4 years ago | (#31482516)

I'll take "a minimum of `wc -l /usr/share/dict/american english` ^ 4 = 94397697714928713121" before "a minimum of 72^8 = 722204136308736" any day, especially since a larger percentage of example one is more easy to memorize.
Make at least one word a nonsense word with maximum 8 characters, and you've suddenly got a minimum of (`wc -l /usr/share/dict/american english` + (72^8) ) ^ 4 = 272044459885253599974534898044290557137522250032956637150625

That's a big number for such a small inconvenience (three normal words and a standard password).

Re:Security Failings (1)

darkmeridian (119044) | more than 4 years ago | (#31484244)

Brute force methods use dictionary words. Therefore, "ihaterubbishmicrosoftsoftware," which has five dictionary words without any capitalization or numbers or symbols, is the equivalent of a five-character password. The much stronger approach is to use phrases to generate hard passwords. For instance, you can make "ihaterubbishmicrosoftsoftware" to "!h8rM$SW". That's an eight-character that has capitalization and characters and numbers, and therefore harder to attack.

Re:Security Failings (5, Insightful)

Aceticon (140883) | more than 4 years ago | (#31481096)

Draconian IT Security policies that end up achieving the opposite effect are caused by the same underlying problems as the theatrical Security that's currently done in most airports:

  • If a Well-Balanced Security policy is in place and Something Bad happens, they blame the Security guys. If a Draconian Security policy is in place and Something Bad happens they can blame the person that "went around the security" (i.e. wrote a password in a piece of paper)
  • When a new widget/software is proclaimed as the next silver bullet, if Security gets it and Something Bad happens, they're the ones blames, if they do get it, then they can blame the widget/software
  • The guy that prevented thousands of Bad Somethings never got promoted to management, since Nothing Happened. They guys that get promotions are the ones that make an Heroic Recover when Something Bad happens
  • Billions of man-hours wasted can easilly be ignored when spread over many people as many small hassles.

The blame here is in Management - rewards and punishement are distributed on the basis of easilly observable artifacts of The Work instead of looking at the hard to define and hard to measure Results.

This problem is very common in all kinds of professions and in most countries ...

Re:Security Failings (4, Interesting)

bickerdyke (670000) | more than 4 years ago | (#31481114)

If IT departments really would care about password security, and insist on complex passwords AND not writing them down, they should start treating a forgotten password as something normal, and not a chance to ridicule that poor guy who forgot it again.

Whats worse for security? Resetting that poor guys password twice a week or have him trying to avoid is by using a post it under his keyboard?

Re:Security Failings (2, Insightful)

Spad (470073) | more than 4 years ago | (#31481606)

Making password resets that common is bad security practice in itself unless you have a good process in place for verifying the identity of the user requesting the reset. Far too many helpdesks will happily reset "your" password for you without even cursory checks as to who you are.

Re:Security Failings (1)

bickerdyke (670000) | more than 4 years ago | (#31481780)

Uhmm.. yes.

Last two shops I worked in were small enough that the support guy was able to recognize my voice on the phone as proof of ID.

That post was driven by an experience back at university when the password resetting process stopped only short of writing "I will not forgett my password" 100 times on the blackboard. (But included admitting your stupidity to the 'BOFH on duty')

Re:Security Failings (1)

John Hasler (414242) | more than 4 years ago | (#31484326)

> If IT departments really would care about password security, and insist on
> complex passwords AND not writing them down

How many security breaches do you know of that were due to the writing down of passwords?

Re:Security Failings (1)

Kozz (7764) | more than 4 years ago | (#31481978)

Strong password requirements are a big part of the problem.

I've known people to use a kind of "formula" to create/remember passwords. It works such that you don't need to strictly memorize your password, but you only need to remember how to derive it. First, I come up with some basic, moderate-strength password, like 4Fa2@xx8?L. But instead of the "xx", I replace it with the two letters in the site's domain name before the TLD, so for slashdot, maybe my password would be 4Fa2@ot8?L.

This is a very simple example, but you can imagine new ways of creating a formula (say, count the number of vowels in the domain, etc) to create your own scheme.

Yes, it's true, this isn't an incredibly strong method, strictly speaking. If someone catches one PW and can figure out your scheme, you're cooked. On the other hand, the result is that you're probably going to have a different password on every site you use, it's a strong password, and you don't have to use any tools to manage your PWs, just memorize the scheme.

I admit I don't have a similar solution for places that require password changes every 90 days, such as my employer. There, I try each time to come up with a password based on an easily-remembered phrase, like "gilligans3hourtour" or "drdanieljacksondiedagain". Yeah, I tend to get funny looks when I type in 20+ character passwords. heh.

Bosses are human too. (0)

Anonymous Coward | more than 4 years ago | (#31480746)

Bosses are human too. If you're giving data to the untrustworthy, that's YOUR failure as a manager in data security.

If you're giving data to people who have been shown no loyalty, yet you expect loyalty from them, that is YOUR failure as a manager in data security.

If you're demanding results and won't take "that is not safe" as an answer (cf the passwords of a US city network), that is YOUR failure as a manager in data security.

The weakest link in the chain is usually the one with least to trouble themselves with the problems and the greatest power to demand.

The Boss.

Encrypt your sh*t. Or you aren't a professional. (1)

elucido (870205) | more than 4 years ago | (#31480748)

I'm tired of seeing articles which talk about IT "professionals" who don't even know how to use encryption.

It's not hard, it's more a matter of people not wanting to have any security because then they don't have to hire actual professionals who might cost a bit more.

Re:Encrypt your sh*t. Or you aren't a professional (2, Interesting)

FlyingBishop (1293238) | more than 4 years ago | (#31480786)

Like what? The code for the project I'm working on? Or are you suggesting I encrypt my entire production database that I can access over a VPN from my notebook?

If you have shit on your laptop that needs encryption, you aren't a professional.

Re:Encrypt your sh*t. Or you aren't a professional (0)

Anonymous Coward | more than 4 years ago | (#31481204)

> If you have shit on your laptop that needs encryption, you aren't a professional.

Yeah, you might instead be one of those Human Rights workers or similar, in one of those repressive countries.

Then you would need encryption to keep other people alive in case they decide to pick on you.

Re:Encrypt your sh*t. Or you aren't a professional (1)

zappepcs (820751) | more than 4 years ago | (#31480846)

IT workers != IT professionals. The marketing directors admin does IT work for him, she is not a professional IT technician. Laptops AFAIK are not given out to those that deserve them so much as those who can't be required to sit in an office all day. Think about this for a minute. Are the tech savvy people in the office or on the road?

Re:Encrypt your sh*t. Or you aren't a professional (4, Interesting)

c0mpliant (1516433) | more than 4 years ago | (#31480916)

Can't agree more. Encryption is such a basic and fundamental requirement that if you're security team isn't working on a way to encrypt your data now, they should have it already done.

A question that should be asked more though that it currently is, is why do you need this data on easily stolen device. For example, why do customer records need to be on a laptop, why is this confidential document on a USB stick?
In my work place, no one can transfer anything off our internal network via data transfer. USB sticks will not be detected by machines. There are no open ethernet cables so if you try to connect a laptop to the cable running into your machine, it wont work. If anyone wants anything taken from the network, they need to raise a request and then if its granted, they will get the data encrypted and placed on a USB stick or laptop of their choice. We have a record of where things were taken from, when they were, requested by whom, authorised by whom. Users may find it slightly inconvenient but our data is secure, controlled and even in the event on a lost laptop or USB stick, we know that its encrypted to a high standard

Re:Encrypt your sh*t. Or you aren't a professional (1)

CohibaVancouver (864662) | more than 4 years ago | (#31481492)

Encryption is such a basic and fundamental requirement that if you're security team isn't working on a way to encrypt your data now, they should have it already done.

You're missing the point of the article - It's saying that encryption isn't a panacea because of the human factor - People write down passwords, put their tokens in their laptop bags etc.

Re:Encrypt your sh*t. Or you aren't a professional (1)

c0mpliant (1516433) | more than 4 years ago | (#31484430)

True, whatever encryption you have set up, it can only be as strong as a user who is working with it. If they're stupid enough to leave their passwords or tokens with PIN's in the bag, of course your going to have problems. But an aggressive education plan coupled with a "lest the clenched fist of retribution come down upon you" attitude, you can save yourself a lot of issues. But the above comment was more directed about organisations that don't use encryption at all. I don't know how many times recently I've heard of major entities who should know better losing a laptop with data stored in cleartext. If you're not encrypting things, it doesn't matter how many educational classes you host, people will still lose laptops, USB sticks.

Re:Encrypt your sh*t. Or you aren't a professional (1)

Mr_Icon (124425) | more than 4 years ago | (#31483134)

"Bob, I need financial data for all clients bought the WidgetMaster 9000, ASAP!"
"Sure, boss. I couldn't attach it to email for some reason, so I posted it on superfileshare.com."

Encryption isn't everything (3, Insightful)

Sycraft-fu (314770) | more than 4 years ago | (#31481102)

I'm not saying there aren't plenty of places that encryption is useful security, but I see it far oversold as a panacea. That something is encrypted doesn't mean it is secure. A great example of that would be copy protected games or movies. They use encryption to secure their data. Often it is quite good encryption. AACS uses 128-bit AES crypto, doesn't get much stronger or more tested than that. Yet, it is all for naught. Games are cracked, Blu-Rays are copied and so on. Why? Well because the decryption key is on the disc somewhere. Obfuscate all you like, if they key is there you are screwed.

Same deal with encryption is terms of security for your data. Encryption is useful for data in transit over insecure channels, the Internet being the main one. So long as only your computer and the remote computer have the key, there'll be no snooping on what is going on. Encryption is also useful against physical theft in the case of a laptop or something. If they grab the computer but can't get the password (and the computer isn't logged in or the like) then they can't get the data.

However encryption isn't useful a whole lot outside of that. For example encrypting data on your desktop won't do much against a remote attack. You have to get in to said data and so when you decrypt it, the key and/or data can be captured. You'd be just as well off with unencrypted data overall. Likewise encryption does little to nothing against a social engineering type of attack.

So I'm not saying "Don't use encryption," just that you should think about when to use it, if it is doing any good. Don't sell encryption as something you need to always do, because it isn't useful and can lead to a false sense of security.

Re:Encryption isn't everything (1)

houghi (78078) | more than 4 years ago | (#31483482)

Indeed not always, but always on portables.

Re:Encrypt your sh*t. Or you aren't a professional (1)

JasterBobaMereel (1102861) | more than 4 years ago | (#31481714)

The professional only needs to ask two questions ....

1st question: why have you got sensitive data on your laptop ?

2nd question: if you have (or might have) sensitive data on your laptop, why is not encrypted?

In my experience the people who "have to" have sensitive data on their laptops generally don't have to ...

and the people who have sensitive data on their laptops always come up with poor reasons why they don't want encryption ...

Maybe they should tie them to thier wrists (1)

Johnny Fusion (658094) | more than 4 years ago | (#31480756)

Nine out of Ten lost or stolen in the UK? I have to wonder if seeing abandoned laptops laying around is commonplace there. I don't think I have ever seen a "lost" computer just waiting for me to pick it up. There must be something about the culture that only 10% of the population can keep track of their gadgets. I am reminded of people you see on the beach with metal detectors trying to find lost and dropped jewelery and coins. I may have to make a trip to the UK and ride trains looking for discarded hardware.

Re:Maybe they should tie them to thier wrists (3, Informative)

Elky Elk (1179921) | more than 4 years ago | (#31480852)

In the summary it states 9/10 know of a laptop in their organisation being lost. The organisations in question could have thousands or tens of thousands of laptops.

Re:Maybe they should tie them to thier wrists (3, Informative)

bkr1_2k (237627) | more than 4 years ago | (#31480938)

It doesn't say 9 out of 10 lost or stolen. It says 9 out of 10 people reported that a piece of equipment has been lost or stolen within their organization. There's a big difference between those two statements.

Of course the issue still remains, people are always going to be the weakest security link. This should come as no surprise to anyone. It has always been that way, and always will be.

Re:Maybe they should tie them to thier wrists (1)

Tim C (15259) | more than 4 years ago | (#31482286)

I have to wonder if seeing abandoned laptops laying around is commonplace there.

I've never seen a laptop just lying around unattended somewhere, so no, it is far from commonplace.

Human is the weak link in anything (4, Interesting)

Opportunist (166417) | more than 4 years ago | (#31480778)

Any procedure, any system, any protocol, anything fails 9 out of 10 times due to human error. Why we let these insecure parts remain a critical part in anything is beyond me.

One word: (2, Insightful)

L4t3r4lu5 (1216702) | more than 4 years ago | (#31481026)

Wargames.

Re:One word: (1)

Opportunist (166417) | more than 4 years ago | (#31481670)

Perfect example. If it was not for the humans interfering, this would be a better world.

Oh, what a feeling... (1)

srussia (884021) | more than 4 years ago | (#31481076)

Any procedure, any system, any protocol, anything fails 9 out of 10 times due to human error. Why we let these insecure parts remain a critical part in anything is beyond me.

JohnnyCab!

Re:Human is the weak link in anything (1)

dkleinsc (563838) | more than 4 years ago | (#31483028)

Thanks, HAL.

Ponemon (5, Funny)

tepples (727027) | more than 4 years ago | (#31480790)

the Ponemon Institute

Laptops: gotta steal 'em all.

Encryption and you (5, Insightful)

Kaldesh (1363017) | more than 4 years ago | (#31480812)

I really fail to see why so many of these companies fail to use common sense. The first thing we do as an IT staff in my organization with laptops is encrypt them. Use something like Truecrypt, enable full drive encryption and set a good password. Laptop gets stolen? You're out the cost of the physical hardware that was taken from you... but the data that was on the machine? You can rest easy that you took every precaution you could to keep it safe. Of course, I work in the health care field so, any laptops, tablets, netbooks etc that have any ePHI (Electronic Protected Health Information), have to be secured. We just take our security practices a step further and do it to all of them. Which is worse? Having your users gripe a bit about an extra password? Or having data stolen? It's saved us once already as a laptop was stolen last year on a business trip.

Re:Encryption and you (1)

jimicus (737525) | more than 4 years ago | (#31481186)

And every password you add makes things a little harder, and sooner or later people decide to make things easier - usually with post-it notes.

Re:Encryption and you (2, Informative)

Kaldesh (1363017) | more than 4 years ago | (#31481386)

Actually we've run into that. But That's a violation of HIPPA (Health Information Privacy and Portability Act), and if you find your users doing something like that in a medical environment? It can mean very serious action is taken. We actually had one person refuse to 'not' use post-its.. and they where let go from the organization. And I mean honestly in the grand scheme of things, you're adding one password to your daily computing life, that will ultimately save someones butt if their PC gets stolen. Where I work, most of the Doctors are grateful for that extra layer of security. They know that if patient data was leaked, on their watch? It would likely mean their jobs, a black mark on their names in the public, and a lot worse for the organization they work for. I'm sure its similar in other fields.

Re:Encryption and you (0)

Anonymous Coward | more than 4 years ago | (#31481726)

Encryption is not the solution. history of enigma machine is the evidence.
1) Most people like to use simple password to encrypt data, so encryption cannot really ensure security.

2) if you encrypted the whole hard disk, when system files are corrupted, the data are lost forever because you cannot boot from system CD to fix the hard disk.

3) If you make many backup of the data, you will have higher risk of losing the backup data. Instead of laptops, you will lose flash drive, DVD, CD or tapes.

Re:Encryption and you (1)

houghi (78078) | more than 4 years ago | (#31483418)

When I proposed that to our IT department, they just looked at me with some blank stare and nothing came of it.

To me this should be a default for any laptop that leaves the factory. I bet the reason they do not do that is because they would get too many calls from people who forgot their password and blame the company for the data they lost.

Humans may be the weak link, but... (1, Insightful)

bsDaemon (87307) | more than 4 years ago | (#31480818)

Humans may be the weak link in information security, but the information is only useful to humans so its not as if we can remove ourselves from the system. Well, we could, and then go back to invisible inks, hand ciphers and cars that actually stop, but these days people probably wouldn't want to do that.

Re:Humans may be the weak link, but... (2, Insightful)

Akido37 (1473009) | more than 4 years ago | (#31480958)

Humans may be the weak link in information security, but the information is only useful to humans so its not as if we can remove ourselves from the system. Well, we could, and then go back to invisible inks, hand ciphers and cars that actually stop, but these days people probably wouldn't want to do that.

I'm glad we've moved past the Stone Age with their silly ideas about "braking systems". Things are so much better now without them.


:-)

Not a great thing. (3, Informative)

FlyingBishop (1293238) | more than 4 years ago | (#31480844)

None of the IT workers recorded their password on a private document, but three percent did admit to sharing their key with other people.

You keep your password on a private document in your pocket, you can use a stronger password, and it's a lot harder to lose both your laptop and your password.

If you do lose one, it's easy to take steps to blacklist the other. You can even use some trivial obfuscation in recording the password so that even if someone gets it, they won't be able to figure out your password.

Example:


awfuieri3v
4u9388535v
v9tv379vn7
mc20884v05

That's just gibberish, but I could easily write that matrix down on a piece of paper, and then pick a path to take through it(it doesn't even have to be a complicated one, for example I could just use columns 2, 4, and 6) and there's not really much chance that someone's going to find my password. Of course there are even better examples where it's not even obvious that you're looking at a password matrix.

Re:Not a great thing. (2, Interesting)

NonUniqueNickname (1459477) | more than 4 years ago | (#31482172)

We could try to figure out your "secret path" through the matrix and try to finesse a solution. OR we could cat | sort | uniq your matrix, find your reduced charset (02345789acefimnrtuvw - only 21 characters) and brute force it.
Get a longer password. Get a bigger matrix with more noise.

Re:Not a great thing. (1)

John Hasler (414242) | more than 4 years ago | (#31484386)

> We could try to figure out your "secret path"...

First, though, you have to steal his wallet. Then you have to realize that there is a path.

Re:Not a great thing. (1)

chrysrobyn (106763) | more than 4 years ago | (#31483784)

awfuieri3v
4u9388535v
v9tv379vn7
mc20884v05
That's just gibberish, but I could easily write that matrix down on a piece of paper, and then pick a path to take through it(it doesn't even have to be a complicated one, for example I could just use columns 2, 4, and 6)

An attacker should use everything available to him/her to compromise your account. With your gibberish of 10x4 up there, one might immediately assume a random string is necessary. If I assume 8 digits, I'm stuck with 40^8. Immediately, that search space is much lower than (26*26*10*10)^8 (lowercase, uppercase, numbers and a pile of symbols). If I remove duplicates, I'd observe that there are 4 8s, 3 5s, 4 vs, etc, so that's really less than 32^8. If I have reason to believe there's a contiguous path involved, then the problem is far closer to 40*8^7, because once an initial character is chosen, we'll stick with neighbors. An attacker who knows of the existence of your matrix could code up some C and have it standing by to brute force as soon as you enter the matrix.

Better than having a matrix is something never written down. Long known phrases concatenated together with periodic numbers, or even just the first letter of such phrases are far more secure. Muscle memory will make them hard to casually observe.

Instead, work demands I change the password on each of my dozen accounts every 90 days. So, I algorithmically pad the date in case I have to reverse decipher anything I miss. There's no way I could remember a strong password in less than 30 days; even when my password is this simple, it takes me 2 weeks to stop typing the old one. 3 weeks if I have to remember a new year.

Human error (1)

charm101 (1767314) | more than 4 years ago | (#31480876)

Security on your laptop is a human error. This means due to clumsiness, is a laptop could talk and say someone stole it. -Turning Winds [teenbootcamps.org]

Huh? (1, Insightful)

Anonymous Coward | more than 4 years ago | (#31480880)

This is news?

Weakest Link (3, Funny)

kiehlster (844523) | more than 4 years ago | (#31480950)

You ARE the weakest link. Goodbye.

I really enjoyed that episode of Doctor Who [youtube.com] . Now I'm a little scared.

Obvious tag only accurate for /. (0)

Anonymous Coward | more than 4 years ago | (#31481238)

The rest of the world probably doesn't realize that information espionage mostly depends on users failing to think while performing routine actions (which is normal for anyone performing routine actions that are abstractions) and so accidentally infecting their computers or getting phished.

This is not obvious the same way as a study finding that morbidly obese people eat more and move less. I think that the tag is condescending and closed minded in this instance.

Its Funny (1)

MrTripps (1306469) | more than 4 years ago | (#31481240)

Its funny when you go to the trouble of encrypting a laptop and then see they have their user name and password taped to bottom. Its also funny when the encryption software bricks the laptop. I'm looking at you McAfee.

90 percent? (1)

john.wingfield (212570) | more than 4 years ago | (#31481318)

Reported to whom? Internally or externally?

If this is meant to be a statement that only 90 percent of companies have lost a laptop then the other 1 percent are lying. Loss is one thing, reporting is quite another matter.

Re:90 percent? (1)

john.wingfield (212570) | more than 4 years ago | (#31481330)

I meant "the other 10 percent".

Re:90 percent? (1)

natehoy (1608657) | more than 4 years ago | (#31482356)

Awwwww, darn, and I had this lovely snarky reply about math skills all worked up and everything. Killjoy! :)

But I agree, pick any organization of any reasonable size and it's almost inevitable that a laptop or smartphone will vanish at some point. That's why they need to be encrypted, with a good "nuke remote" option.

I carry a laptop and a Blackberry, and if either is stolen all I have to do is call my company's helpdesk at an 800# and give them my employee number and which device has been stolen, and the device will cease to operate the next time it connects to the Internet (for the laptop) or the cellular network (for the Blackberry). Then a fresh device is waiting for me when I get back to the office. Thankfully I've never had to exercise that option, but we have had people who have.

Combine that with a solid "home directories are on file server" policy, and the loss of a laptop means maybe the loss of a day or two worth of work, and another day reconfiguring the new machine once it arrives. So, to us, the laptops are really hardware to be replaced, not critical business data subject to loss.

Why allow imporant data on laptops at all? (2, Insightful)

swb (14022) | more than 4 years ago | (#31481382)

...without strong countermeasures to prevent the data from being exploited?

I guess I don't understand why, if some chunk of data is critically important, that the organization would allow it to be dragged out of the office on a laptop. The data should be required to stay in the office with access from outside the office only on a business-critical basis and with strong security requirements (ie, VPN-only accessable terminal server, all using RSA tokens).

And if it MUST go out of the office on a laptop, why aren't very strong encryption measures being taken into consideration, including whole-disk encryption with failed-access data wiping?

I see so many people with laptops who don't really need portability. Most of the time they have a laptop because it's a token of their importance to the organization or some kind of freebie (they have a desktop, too, but the laptop is so they can "work from home" but is really just a free home computer).

The other thing weird about this is that 61% of the lost laptops resulted in a security breach! Most of the people I've dealt with who had laptops were by and large wankers with company data of interest to almost no one; at worst you might be able to reverse a cached password or raid the browser passwords for something trivial.

And who is stealing laptops? In the US, a lot of that theft is just petty theft for quick cash -- drug addicts, gang members, losers looking for something they can pawn or turn on the street for $200. It's really not info security experts.

Re:Why allow imporant data on laptops at all? (2, Insightful)

CohibaVancouver (864662) | more than 4 years ago | (#31481564)

And who is stealing laptops? In the US, a lot of that theft is just petty theft for quick cash -- drug addicts, gang members, losers looking for something they can pawn or turn on the street for $200. It's really not info security experts.

True, but the problem is you need to treat every theft like a security breach - So while an encrypted laptop with a SecurID token in the laptop bag was probably stolen by a junkie, you just don't know whether or not the final 'owner' is noodling through the data.

Re:Why allow imporant data on laptops at all? (1, Informative)

Anonymous Coward | more than 4 years ago | (#31482736)

Plus, the junkie is selling it to someone, and people who want to look for data might be willing to pay a significant premium over people who just want a cheap laptop. Junkies aren't completely stupid - they'll sell the machine to whomever is willing to pay the most.

I occasionally recycle old machines and give them to people. The local dump frequently yields good "parts" machines or often fully-working machines that are just too slow (frequently high-powered machines that are only slow because the former owners didn't run Antivirus and allowed malware crud to build).

One very memorable find was a couple of HP Pavilion desktops, in perfect condition except the former owner cut every single wire inside the case. He didn't actually damage anything, just took snips and cut each of the power supply lines, the IDE cables, and the control lines to the motherboard. I replaced the power supplies and the IDE cables with spare parts, soldered the control lines, CPU cooling fan wires, etc back together, and booted the machines with no problems at all. Half hour each, tops.

One of them contained a copy of QuickBooks Pro with the entire financial history of a local company, including all the W2 information of all of their employees for at least a decade, their bank and credit card account numbers stored in IE (with cached passwords), and all sorts of goodies. The owner of the company also had a really bad porn habit, and downloaded a lot of movies and music. Were I a black hat, I could have completely owned his business. Given the questionable age of some of the subjects of the porn, he might even have been facing something far more serious.

Normally, I would have preferred to just wipe the machines and start over, but Pavilions used a recovery CD at the time, and even though I had a serial number on the case, I could not get Windows to install fresh. I had to "clean up" the existing version before giving the machines away. Those two machines took a while - they hadn't had Antivirus in years, and I didn't dare connect them to my Internet connection to download cleanup tools (I didn't even dare put a USB stick into the things, they were so badly infected).

Lately I've been just wiping them from an Ubuntu CD and offering them with Ubuntu preinstalled. It's just easier, and I don't have to look at the stupidity any more.

Re:Why allow imporant data on laptops at all? (1)

swb (14022) | more than 4 years ago | (#31483592)

Somehow the data thief stringing along a half-dozen heroin addicts for used laptops sounds like a great plot vehicle for a movie but pretty unlikely in real life. Drug addicts, gang members, et al are who they are because they are unreliable, dishonest and only concerned with very short term outcomes -- like how am I gonna get high in the next hour.

It sounds like a clever idea to use them as secret shoppers to steal laptops, but what happens when they steal the wrong ones? It's like Frankenstein sending his assistant out for a brain, but much worse.

I don't doubt that there are industrial/political espionage types out looking to steal laptops for their data, but my guess is that its a much smaller problem than what amounts of half of all laptop thefts in the UK.

Why allow important data on laptops at all? (1)

drinkypoo (153816) | more than 4 years ago | (#31481798)

You had me at 'at all'.

Why allow important data on laptops at all? Why not simply require that sensitive data only be accessed remotely? You can solve this problem with VNC. There are a very few situations where it is impossible to get internet access sufficient to use a computer remotely. In these few situations, a whole-disk-encrypted system can be used, which won't solve every problem (as this article indicates) but will at least narrow things down considerably. But in most cases, there's no actual need for the data to be on the laptop at all.

Anonoymous (0)

Anonymous Coward | more than 4 years ago | (#31481430)

people just neglect the fact to show proper care for something unless they spent their hard-earned money on it... just in the human's nature - one thing we do at my job we use a service called MaaS360 by Fiberlink.

pretty sick console with a ton of security features and reporting functions... the best thing about this tool is that we can see people outside of the VPN even if they are connecting through a wi-fi hotspot or home router - we have full visibility and can pull reports and manage applications and data as well through this console.

The reason why security is hard... (2, Insightful)

TejWC (758299) | more than 4 years ago | (#31481474)

... is because computers do exactly what they are told to do [smbc-comics.com] .

It will be that way (1)

Hymer (856453) | more than 4 years ago | (#31481756)

...until someone invents humanproof security. If people have to remember something they will either
  • write it down if it is too complex to remember
  • choose something obvious so it is easy to remember
  • choose something obvious AND write it down

Uhm. DUH!?!?!? (2, Insightful)

Chas (5144) | more than 4 years ago | (#31481782)

You can have your shit locked down 6 billion ways to Sunday.
The minute you introduce the human element into it, you have a massive security hole that can be patched, but NEVER closed.
You can train and train and train. Ennui sets in and their brains shut off after a while.
You can have the most draconian policies regarding proper usage. People will still circumvent it, accidentally or deliberately.
You can fire people. It just creates ill will and the damage is already done.
And, if it happens to be the owner of the company doing the circumvention there's jack and shit you can do about it.

I'm sorry, but anyone who tells you that security is about "keeping the bad guys out" is SELLING YOU SOMETHING (see: "How much for my large and stinky pile of crap?"). Nothing more.
Security is about putting enough roadblocks in place that attackers begin looking for easier targets so they can maximize their returns on time invested.
If someone wants into your systems bad enough, THEY WILL GET IN. Period.
The job of security is to make this interval as long as possible so they can maximize the chances of catching them before they get in or forcing them into something spectacular and HIGHLY traceable.

The Art of Deception (0)

Anonymous Coward | more than 4 years ago | (#31481980)

Read "The Art of Deception" by Kevin Mitnick. In this book he explains and provides examples of the human factor of security, and how we are indeed the weakest link.

phishing (1)

jonpublic (676412) | more than 4 years ago | (#31482074)

We get people responding to this kind of phishing message all the time, to a helpdesk@yahoo.com.hk address

We haven't had quotas in like 6 years.

---
The Helpdesk Program that periodically checks the size of your e-mail space is
sending you this information. The program runs weekly to ensure your
inbox does not grow too large, thus preventing you from receiving or sending new e-mail.
As this message is being sent, you have 18 megabytes (MB) or more stored in
your inbox. To help us reset your space in our database, please enter your
current user name () password
()

You will receive a periodic alert if your inbox size is between 18 and 20 MB.
If your inbox size is 20 MB, a program on your Webmail will move your
oldest e-mails to a folder in your home directory to ensure you can continue receiving
incoming e-mail. You will be notified if this has taken place.

If your inbox grows to 25 MB, you will be unable to receive new e-mail and it
will be returned to sender. All this is programmed to ensure your e-mail
continues to function well.

Thank you for your cooperation.
Help Desk

This message was sent using IMP, the Internet Messaging Program.

Stolen laptops should be ok (1)

Yvanhoe (564877) | more than 4 years ago | (#31482246)

A stolen laptop should not threaten internal security. The tools to encipher crucial informations are free (as in $0)

In Other News the Sky is Blue... (1)

Taliesan999 (305690) | more than 4 years ago | (#31483182)

Seriously... humans are the weak link... don't tell me it's so!

The general terms for this security problem are: (0)

Anonymous Coward | more than 4 years ago | (#31483648)

Wetware error.

LUSER factor.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?