Thursday, December 30, 2010

Prevent Attacks and Improve Usability By Understanding Asymmetric Threats

How asymmetric threats can blindside your organization, and how to prevent attacks supporting productivity.

Users are typically blamed as the weak link in security. Yet, we also need to take into account that users are often just naively reacting to asymmetric threats, that are difficult to evaluate even by experts.

Asymmetric Threat: a low-probability event with high-consequence.

The difficulty with preventing this type of threat is that even though the consequences could be disastrous (including collateral damage, information leak, and reputation loss), users may mistakenly accept the risk solely based on the event's low-probability of failure. As known in the medical field for an elective procedure called VBAC, many patients choose to undergo the procedure because the risk is low (say 1%), even though the consequence can be death or serious life impairments for both mother and child.

For example, in spite of all the attacks that we hear about on the Internet, it is known that the probability that any specific location will be successfully attacked is likely to be low for organization users. Consequently, users commonly see and rate online attacks as low-probability events ("Attackers will not guess my password.") and are not usually as concerned as they should be about the high-consequence side.

As another example, consider phishing. It is a typical asymmetric threat, where the user is asked to do something that seems safe (low-probability of failure) without realizing the high-consequences.

Users are unreliable security-partners to evaluate asymmetric threats.

Users tend to dismiss potential problems if they are perceived as low-probability events. Organizations, on the other hand, have to look more carefully also at what is at stake and the expected loss per event, which can capture the high-consequence risk and motivate adequate counter-measures.

Also important to many organizations today, for regulatory compliance with HIPAA and privacy regulations, are the potential high fines and breach notification duties that can be imposed, not just direct losses.

Usability and Security Aspects

Adding a conventional security system to better counter asymmetric threats and provide regulatory compliance, will most likely require users to change.

For example, if you must send to each recipient a password to allow reading the email, this makes it hard to use and is not natural. Or, if you must require recipients to register and select a password, just to read your email, this forces recipients to use yet another service they did not choose. Alternatively, if the solution requires going through a particular interface for webmail and/or install plugins for a desktop mail client, then users have to change their work environment.

Further, requiring users to change burdens users with new procedures and disrupts use when desktop updates and plugins clash, reducing productivity. This can also end up blocking cost-saving and desirable options, such as Google Apps and phones, if they are not protected.

Thus, notwithstanding the security and privacy needs, usability is also of critical consideration. Making it harder to use in order to be secure is not secure (either will not be used or be used poorly). Moreover, organizations have various non-compliant desktop, cloud, and phone systems that are in service and people already know how to use. There are other significant limitations in practice, such as non-compliant systems used by partners and customers, and customer support for new applications.

Users Do Not Want Change

If there is any unanimity in what users want, it is that they want to use their systems without change!

Second, users want to be able to switch to cloud or phone if they are not in the office, or if the office system is down. Third, users also want to communicate with their customers and partners without asking them to change. Fourth, users view security as "that which reduces productivity" and so will try to bypass security rather than follow a security process — for example, users will likely close a warning notice without even reading it.

The IT challenge today is how to provide the functionality that users want with the security that the organization needs.

The ZSentry Solution

To maximize return on investment, organizations should invest first in areas that support multiple objectives within a diverse spectrum of asymmetric threats. The goal is to effectively enable security and privacy compliance while assuring usability and versatility anywhere, for all systems that people can or already know how to use.

ZSentry is unique in providing these capabilities, through the various Use Options >> that can be used in separate or concurrently, including ZSentry On-Site (desktop Mail clients), ZSentry Cloud (FISMA compliant), ZSentry App (web browsers), ZSentry API (custom services), and ZSentry SMS (secure text messages for phones).

And given that no one is likely to successfully deter, prevent, or preempt every attack, organizations must invest in capabilities to help eliminate or at least mitigate the effects of a potentially catastrophic attack.

ZSentry is unique also in allaying access and data security concerns locally, in the infrastructure, and in the cloud. Each customer's login and data are protected in separate by the Sans Target ZSentry technology, with configurable, encrypted metadata (keys are also protected by the Sans Target ZSentry technology) providing a protected, standards-compliant, unique user experience and feature set for each customer.

This is even more important in the context of "cloud computing" and SaaS (Software as a Service), when user data may be stored in the "cloud". With ZSentry, customer access audit trails and customer data storage can be securely maintained in the "cloud" with encrypted, de-identified numbers, which access keys are provided and secured by the ZSentry technology.

Read more at Use Options >>