This month marks two years of "In Security." Over the past year, some of my more popular columns have dealt with data aggregation and theft, the limits of risk management, getting along with human resources and how to spot and handle rogue security staff, encroachments on personal privacy, and the humor we find in the nonsensical things we hear from security consultants and the consulted. Sometimes it's the laugh of recognition; sometimes it's the laugh right before everyone looks away nervously and changes the subject. In either case, it's worth taking a look back before considering what's next.
Progress happens -- though sometimes in slow motion. In response to last week's column about phishing within organizations, Rex Warren, a colleague and partner at Leviathan Security, responded with a related experience where people in big organizations sometimes forget that sometimes they need to prove their identity. He received a call recently that went something like this:
Caller: "You owe money, I'll take your account number."
Rex: "How do I know you're not a criminal?"
Caller: "I'm not a criminal."
Rex: "A good criminal wouldn't acknowledge being a criminal. In fact a dumb one wouldn't either."
Caller: "I know your 'secret' authentication information."
Rex: "That proves it's me not you; How do I know you didn't steal that information?"
Caller: I'm not a criminal.
Rex: We've been over that.
How would you make that system work, exactly? Think less tech and more do-unto-others. While generally impressed with my own credit union's variable risk-based identification and authentication processes -- this past year they started asking more authentication questions for transfers than for lower-risk balance inquires, for example -- it would be nice to receive a periodic mailing with a list of authenticators or secret questions I could ask them . This would be useful in the unusual case where they contact me about errors, suspected fraud or other problems. The technology is available; maybe we'll see more implementation next year.
Continuing the thinking-trumps-technology theme, more and more enlightened managers and educators realized over the past year that filtering software pushed by the likes of SurfControl and Websense doesn't work. It's not because the technology can't pick out words or URLs, but because employees and children intent on pursuing blocked content usually can find a way to retrieve it.
For example, Google arguably performs the foremost and broadest research into filtering. Yet the flexibility provided by search and proxy tools to bypass other filtering systems easily surpasses the sophistication of their own "SafeSearch" technology. Technology doesn't fix social and behavior problems, and filtering is eventually destined to head the way of prohibition, dance-hall bans, and the V-Chip.
Social education taking the place of mindless tools in both the workplace and schools? That's a positive development. Just as the Ron Popeil "set-it-and-forget-it" approach doesn't provide gourmet meals, the path to professionalism at work and critical thinking in school is best served by clear rules, trust and reasonable monitoring -- not roadblocks. The recent Virginia state foray into meaningful Net education still smacks of 50's educational films on the dangers of social diseases and fast driving, but helping the kids think is a giant step in the right direction.