Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

10/9/2019
02:00 PM
Lysa Myers
Lysa Myers
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

A Realistic Threat Model for the Masses

For many people, overly restrictive advice about passwords and other security practices is doing more harm than good. Here's why.

I'm one of those people who has made fun of password books for being an example of horrible security practices. But I'm starting to realize that I was wrong. For some people, overly restrictive security advice is doing more harm than good. For those who can't easily navigate more secure solutions, writing a password down and keeping it locked up in your home is far better than reusing passwords.

While threat modeling is something we often ask businesses to do to determine the level of risk posed by certain vulnerabilities, we seldom ask individuals to do the same thing. Instead, we just give everyone the same sort of blanket suggestions, often implying that it's necessary for everyone to protect themselves against state-sponsored attackers.

This can lead to people devaluing threats that realistically could come from within their own homes, such as in the case of domestic abuse, which in this day and age almost invariably includes monitoring the victim, including online. Bottom line: When hurdles are so massive that using computers becomes impossibly difficult, people give up, opting instead to do as little as possible to protect their data and devices.

This is definitely a case where "perfect is the enemy of good."By dissuading people from using more convenient and usable security methods, we're discouraging them from taking any meaningful steps toward a safer Internet experience. Here are a few other examples of things I frequently hear security practitioners warn laypeople against:

Biometrics
Authentication will be a recurring theme here: Usernames and passwords are really not sufficient by themselves anymore, especially because people do such a poor job with them on the whole. We all have dozens (if not hundreds) of accounts that require a login, and it is simply not reasonable to expect people to remember strong, unique passwords for that many accounts.

Many people "solve" this problem by choosing crummy passwords, or reusing one password for every account, both of which are horrible solutions to the problem. Many of us suggest password managers, which can be a great solution for a lot of people. But there's also those security practitioners who pooh-pooh this option because it's "imperfect" to have a single point of failure, or because sometimes password manager products have vulnerabilities, or whatever other frustrating reason.

While biometric authentication can certainly be circumvented, it beats the heck out of using a weak password, reusing a password, or using no password at all.

SMS for 2FA
We've all heard about the various ways that two-factor authentication (2FA) can be broken by a sufficiently determined adversary. That's something for security practitioners to be aware of, so we don't get complacent. But for the average person, a 99% success rate against account takeovers is really quite sufficient. We all need to be using 2FA wherever it's available, in the most secure form we can get. If that form is "just" SMS, it's a whole lot better than just using a username and password alone.

Legacy Security Products
Regardless of what operating system people are on, or what particular type of security product works best for their situation, everyone needs something that helps protect against malicious code. If I had a nickel for every time I heard someone say that "antivirus is dead" because it doesn't detect 100% of new attacks, I'd be having a very fancy lunch right now. I won't even get into the arguments over "next-gen" versus established anti-malware products, or the old trope that "Macs don't get malware," or instances where security products were found to have vulnerabilities.

Charging Cables
The caution against using someone else's charging cables came up again just recently. While I would probably still advise people against charging in any old charging station — particularly ones in public spaces — I wouldn't go so far as to say you should never borrow a charging cable at all. If you trust someone well enough to travel with them, or work with them or something along those lines, you should be OK if you borrow their charging cable.

Frequent Password Updating
"Passwords are like underwear. They should be kept private and changed frequently." I'm delighted to announce that we all need to stop using this underwear analogy. NIST announced two years ago that we need to move away from asking people to periodically change their passwords, or enforcing complexity requirements. While we're at it, can we also stop preventing people from copying and pasting passwords, too? I honestly don't know what threat this is supposed to prevent; in practical application, it only seems to prevent the use of password managers.

I suspect the instinct to tell people why they shouldn't use "imperfect" security practices is, at least in part, to demonstrate how l33t we are. But this practice is making the Internet a much less usable place, and we need to bring that to an end. People should use whatever methods allow them to move the needle toward a safer surfing experience meaningfully, given their own particular threat model.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Can the Girl Scouts Save the Moon from Cyberattack?"

Lysa Myers began her tenure in malware research labs in the weeks before the Melissa virus outbreak in 1999. She has watched both the malware landscape and the security technologies used to prevent threats from growing and changing dramatically. Because keeping up with all ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Ziyon
100%
0%
Ziyon,
User Rank: Apprentice
10/10/2019 | 5:24:02 PM
Any new technology available in the market?
The Lysa Myers' text meets the market need to be shaken to wake up and face a reality that can no longer be ignored. There are new technologies like iPification that claims to be the future today. It's a matter of early adoption, so we can verify if this technology delivers what they say and compare the benefits.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-17452
PUBLISHED: 2020-08-09
flatCore before 1.5.7 allows upload and execution of a .php file by an admin.
CVE-2020-17451
PUBLISHED: 2020-08-09
flatCore before 1.5.7 allows XSS by an admin via the acp/acp.php?tn=pages&sub=edit&editpage=1 page_linkname, page_title, page_content, or page_extracontent parameter, or the acp/acp.php?tn=system&sub=sys_pref prefs_pagename, prefs_pagetitle, or prefs_pagesubtitle parameter.
CVE-2020-17447
PUBLISHED: 2020-08-09
MyBB before 1.8.24 allows XSS because the visual editor mishandles [align], [size], [quote], and [font] in MyCode.
CVE-2020-16248
PUBLISHED: 2020-08-09
** DISPUTED ** Prometheus Blackbox Exporter through 0.17.0 allows /probe?target= SSRF. NOTE: follow-on discussion suggests that this might plausibly be interpreted as both intended functionality and also a vulnerability.
CVE-2020-15820
PUBLISHED: 2020-08-08
In JetBrains YouTrack before 2020.2.6881, the markdown parser could disclose hidden file existence.