From: m e (mje@list.intersec.com)
Date: Tue Jan 27 2004 - 19:09:05 EST
EXACTLY! My claim is that as security people our jobs are
to reduce incidents and costs on significant information
assets. So the deployment plan is to get 100% of the people to use
50% "good" security, and next year get them to use 60% "good"
security, etc.
Most attempts at 100% security wind up in additional costs,
losing end user committment, software/hardware deployment
nightmares, etc.
That's why we feel that Thumpprint USB tokens are 50% good security
that 100% will use vs laptops with encryption are probably 80% good security, except only 25% will use it, help desk calls and costs will skyrocket, etc. In the end incidents and costs will rise with poorly
adopted security measures.
dreez
>
>This is a valid line of questioning. You're basically doing a threat
>assessment - how big is the vulnerability and how large is the threat.
>Having a security mechanism that 3 people in the world can "easily
>compromise" is only a big deal if you've got some pretty serious stuff
>on those laptops. In that case, having it on the laptop may be the
>biggest mistake.
>
>I have this argument (lower security that everybody uses vs. higher
>security that nobody uses) all the time in regard to passwords. I have
>one client that has auditors that insist on locking accounts after 3
>failures. This same client locks about 30-40 accounts a day due to
>password failure. By making things too tight, they've completely lost
>the Intrusion Detection benefit of password lockouts. I'd agree with
>you...if it's too complicated for the target audience (sales people and
>other non-techies), then you've got to make things simpler and perhaps
>come up with a way to watch it better. Maybe a process that e-mails the
>thumbprint logs (hopefully such a thing exists) off the box in the
>background every day.
>
>It's certainly valuable to know how secure something really is as
>opposed to what the sales people would like you to believe or may even
>think themselves. Then you need to determine how likely any of that is
>to happen and how big a deal it is if it does. Do your guys sell
>fortune cookie sayings or plans for the Tomahawk Cruise Missile?
>
>This relates quite a bit to the recent thread about pen-testing's value.
>It's very good to know what effort is required to circumvent a security
>mechanism and also what detection mechanisms are in place. In the case
>of the USB Thumbprint authentication....detection probably isn't gonna
>happen...it's on some sales guy's laptop and if he looses it, he's not
>gonna tell anybody for awhile thinking he might find it and never get
>caught.
>
>-----Original Message-----
>From: m e [mailto:mje@list.intersec.com]
>Sent: Tuesday, January 27, 2004 8:58 AM
>To: pen-test@securityfocus.com
>Subject: Re: Hacking USB Thumbdrives, Thumprint authentication
>
>
>In-Reply-To:
><AE503E4425AA90459FDD5066BCE87E9901DD8B84@smskpexmbx1.mskcc.root.mskcc.o
>rg>
>
>>When we investigated fingerprinting products, two colleagues cracked
>the
>
>>system by using a paper photocopy of a finger. They placed it on the
>
>>=66ingerprinting pad and pressed it with another finger to provide the
>
>>heat that the pad needs to detect. I was incredulous of their account,
>
>>but after reading the Putte source below, this sounds credible.
>
>>
>
>
>
>very cool. this i'll try and let you know.
>
>
>
>please devil's advocate the following argument.
>
>
>
>We are not trying to build a cruise missle to kill a fly.
>
>We want 50% security control that 100% of the people use, not
>
>100% security control that 50% of the people use.
>
>
>
>I can't see a threat scenario where wife copies sales guys
>
>thumbprint on gummy bear while sales guy is sleeping to get
>
>a peek at his USB drive. Yes it may happen once a year, but
>
>chances are they will lose USB device first.
>
>
>
>Real vulnerability is sales guy loses USB drive, and Joe
>
>Six-Pack picks it up and brings it home to his kid. Or leaves
>
>USB drive at customer site and customer gets curious and tries
>
>to look at it.
>
>
>
>So what are the vulnerabilities in this scenario?
>
>
>
>
>
>
>
>
>
>
>------------------------------------------------------------------------
>---
>------------------------------------------------------------------------
>----
>
>
>
>---------------------------------------------------------------------------
>----------------------------------------------------------------------------
>
>
---------------------------------------------------------------------------
----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:47 EDT