Yesterday, a group of friends and I were discussing differences between when we were growing up and today. I still remember some of my phone numbers from when I was a kid, but can't remember my partner's number, or even my daughter's number. Have we gotten lazy with the advent of technology? Maybe, although the fact that we don't have to dial numbers in most cases anymore may be more of it. That got me thinking about what we do spend our energy memorizing that we didn't before.
This morning I came across this: "LinkedIn data breach blamed for multiple secondary compromises" and it got me thinking. What do I spend all that energy on? Passwords.

How many different passwords do you use each day? How many do you only use occasionally? How do you save or remember them? Some people use protected files, so use paper, some use online applications. I even know someone who wrote their own password generator that they can use to recreate passwords. Many of us use some combination of memory, other methods, and hope.

Unlike many of the topics I'll discuss in this blog, I haven't yet seen a truly elegant and safe way to manage all passwords. Applications are probably the best option out there today, although there is always the risk of a data breech, someone figuring out your root password, someone social engineering the company into giving them access, or losing your own access. Two factor auth works great for a small number of highly valued systems, but no one wants to carry around an object from every company they do business with. Phone code generators are another good option, as long as you aren't likely to lose your phone and have a hard to guess passcode. Have you seen something in the area of identity management that you think truly changes the playing field? If so, I'd love to hear about it. Until then, understand what you're trying to protect in each case, who you need to protect it from and how much security you need for that system, and make a reasonable choice. And of course, if a system you are a customer of has a data breech, make sure to change that password, as well as any you've used on other sites that would be guessable from the first one.

This morning I was reading The Role of Human Error in Successful Security Attacks.  As I read it, I found myself feeling empathy for the employees who are the targets of such attacks. For example, "These tools can also prevent users from engaging in inappropriate behavior, such as sending documents home via email or placing them on file-sharing sites or removable media such as USB sticks. " I can just see an employee sitting at their desktop at work, realizing that they have to go pick up their son from daycare right now, but their project is due tomorrow. Of course they are going to take it home via personal email or USB stick if that's the only way they can work on it from home. You can't leave a small child home sleeping while you go back to work, and missing the deadline could have significant career consequences.
Being in the field for many years now, I often see us security experts espousing guidance that makes running the business difficult. Certainly some tradeoffs are necessary, but people will work around any security boundary that makes it hard or impossible to do their job. We hire amazing scientists, recruiters, engineers, marketing professionals and the like, and then suddenly expect them to be security experts and produce results in the same time frames and at the same quality levels even as we put security hurdles in their way.

Is there a way to enable our people to focus on doing what they are amazing at, without unacceptable security risks? Can we make doing the secure thing the path of least resistance? In this blog I'll be exploring common social engineering issues, and ways we might alter the system to increase protection without impeding the business.