+ All Categories
Home > Documents > 05-899/17-500 Usable Privacy and Security Colleen Koranda February 7, 2006 Usable Privacy and...

05-899/17-500 Usable Privacy and Security Colleen Koranda February 7, 2006 Usable Privacy and...

Date post: 20-Dec-2015
Category:
View: 217 times
Download: 2 times
Share this document with a friend
Popular Tags:
22
05-899/17-500 Usable Privacy and Security Colleen Koranda February 7, 2006 Usable Privacy and Security I
Transcript

05-899/17-500 Usable Privacy and Security Colleen Koranda February 7, 2006

Usable Privacy and Security I

Koranda Carnegie Mellon University 2

Chapter 1: Psychological Acceptability Revisited Chapter 2: The Case for Usable Security Chapter 3: Design for Usability Chapter 32: Users are not the Enemy

Usable Privacy and Security I

Koranda Carnegie Mellon University 3

Usable Security

The user side… A secure system has to be complicated and complex; thus, difficult

to use

The Need to Know Principle The more that is known about security the easier it is to attack

Users know little about security

Lack of knowledge makes it less secure

Humans are the weakest link in the security chain Hackers pay attention to human element in security to exploit it

Koranda Carnegie Mellon University 4

Usable Security

Why are security products ineffective? Users do not understand the importance of data, software, and

systems

Users do not see that assets are at risk

Users do not understand that their behavior is at risk

Koranda Carnegie Mellon University 5

Usable Security

Why are security products ineffective? Users do not understand the importance of data, software, and

systems

Users do not see that assets are at risk

Users do not understand that their behavior is at risk

Koranda Carnegie Mellon University 6

Approach #1

Educate the user

Today’s educational topic: passwords

Koranda Carnegie Mellon University 7

What makes a Good Password?

Koranda Carnegie Mellon University 8

Suggestions for Creating Passwords

Interject random characters within a word confine = cOn&fiNe

Deliberately misspell a word helium = healeum

Make an acronym I’ve fallen, and I can’t get up = If,alcgu

Use numbers and sounds of letters to make words I am the one for you = imd14u

Combine letters from multiple words Laser and implosion = liamspel

https://www1.cs.columbia.edu/~crf/accounts/crack_tutorial.html

Koranda Carnegie Mellon University 9

http://www.hirtlesoftware.com/p_passpr.htm

Koranda Carnegie Mellon University 10

http://www.securitystats.com/tools/password.php

Koranda Carnegie Mellon University 11

How Long does it take to Crack a Password?

Brute force attack

Assuming 100,000 encryption operations per second

FIPS Password Usage 3.3.1 Passwords shall have maximum lifetime of 1 year

http://geodsoft.com/howto/password/cracking_passwords.htm#howlong

26 Characters 36 Characters 52 Characters 68 Characters 94 Characters

lower case letters and digits mixed case letterssingle case letters with digits,

symbols and punctuationall displayable ASCII characters

including mixed case letters

3 0.18 seconds 0.47 seconds 1.41 seconds 3.14 seconds 8.3 seconds4 4.57 seconds 16.8 seconds 1.22 minutes 3.56 minutes 13.0 minutes5 1.98 minutes 10.1 minutes 1.06 hours 4.04 hours 20.4 hours6 51.5 minutes 6.05 hours 13.7 days 2.26 months 2.63 months7 22.3 hours 9.07 days 3.91 months 2.13 years 20.6 years8 24.2 days 10.7 months 17.0 years 1.45 centuries 1.93 millennia9 1.72 years 32.2 years 8.82 centuries 9.86 millennia 182 millennia

10 44.8 years 1.16 millennia 45.8 millennia 670 millennia 17,079 millennia11 11.6 centuries 41.7 millennia 2,384 millennia 45,582 millennia 1,605,461 millennia12 30.3 millennia 1,503 millennia 123,946 millennia 3,099,562 millennia 150,913,342 millennia

Pa

ssw

ord

L

en

gth

Koranda Carnegie Mellon University 12

Education Results

Educating users does not automatically mean they will change their behavior

Why? users do not believe they are at risk

users do not think they will be accountable for not following security regulations

security mechanisms can conflict with social norms

security behavior conflicts with self-image

Koranda Carnegie Mellon University 13

Motivation

Users are motivated if care about what is being protected

-and-

Users understand how their behavior can put assets at risk

Koranda Carnegie Mellon University 14

Motivation

How can motivation be accomplished? Security should not be a ‘firefighting’ response

Organizations must become active in security

Approach #2 – Design a Usable System

Koranda Carnegie Mellon University 15

Design a Usable System

User centered design is critical in system security

Password mechanisms should be compatible with work practices

Change regime and spiraling effect: I cannot remember my password. I have to write it down. Everyone knows it’s

on a Post-it in my drawer, so I might as well stick it on the screen and tell everyone who wants to know

Passwords that are memorable are not secure

Koranda Carnegie Mellon University 16

How to Design a Usable & Secure System?

Current problem Lack of communication between users and security departments

Solution Product: actual security mechanisms

Process: how decisions are made

Panorama: the context of security

Koranda Carnegie Mellon University 17

Product

Password Considerations Meaning increases memorability

Are often less secure

How do you make a password easy to remember but hard to guess?

Passwords that change over time Can decrease memorability

Can increase security?

System generated passwords Can be more inherently secure

Are less memorable

Passwords are often used infrequently How can they be remembered?

Koranda Carnegie Mellon University 18

Process

Security tasks must be designed to support production tasks AEGIS process

gathering participants

identifying assets

modeling assets in context of operation

security requirements on assets

risk analysis

designing security of the system

Benefits of involving stakeholders increased awareness of security

security aspects become much more accessible and personal

provide a simple model through security properties of the system

Koranda Carnegie Mellon University 19

Panorama

Security tasks must take into account the environment

Education Teaching concepts and skills

Training Change behavior through drills, monitoring, feedback, reinforcement

Focus should be on correct usage of security mechanisms

Should encompass all staff, not only those with immediate access to systems deemed at risk

Attitudes Role models

Koranda Carnegie Mellon University 20

Activity

Groups will explore how to solve a problem related to passwords with a given scenario

The goal is to make suggestions for a secure system that users will comply with

Simply saying ‘educate and train users’ is not enough to make a convincing argument

Weigh the pros and cons of decisions you make

Refer to the design checklist (p42)

Koranda Carnegie Mellon University 21

Summary

Users need to be informed about security issues

Majority of users are security conscious if they see the need for the behavior

The key to all security efforts is a balance between security and usability

Koranda Carnegie Mellon University 22

Bibliography

Security and Usability Chapter 1: Psychological Acceptability Revisited Chapter 2: The Case for Usable Security Chapter 3: Design for Usability Chapter 32: Users are not the Enemy

http://www.smat.us/sanity/riskyrules.html

http://www.dss.mil/search-dir/training/csg/security/S2unclas/Need.htm

http://www.itl.nist.gov/fipspubs/fip112.htm

http://www.securitystats.com/tools/password.php

https://www1.cs.columbia.edu/~crf/accounts/crack_tutorial.html

http://geodsoft.com/howto/password/cracking_passwords.htm#howlong


Recommended