Software complexity as an enemy of security

Cybersecurity, Uncategorized 5 Minutes
Graphic from pautasso.info

These days it’s unlikely for a company to not use 3rd party online products. Each day we are heavily relying on messaging apps, online data storage, team collaboration tools like issue tracking systems and many other apps. This is fine, we need all these to boost our productivity, but in my experience it happens too often that people don’t know how to use them in a secure manner.

Unfortunately, people tend to put too much trust in the software they use. While sometimes expectations are too high, very often users require not more than what they paid for — good quality software that will save their time and make life easier.
Often times, software is too big and heavy which results in bad user experience and make users unwilling to explore it. User interfaces are not clean enough, there are tons of not well explained functionalities and I can totally understand why users get confused when it comes to security features.

There is a huge room for improvement in this area and there is a couple of good reasons to change the current state of affairs.
One reason can be users complaining on nearly unusable software, second can be growing number of data leakages caused by invalid setup of security features and third foremost for business — each additional feature comes with maintenance and support cost which is something business doesn’t want.
It’s in interest of all involved parties to make things simpler and sooner companies understand that, it’s better for everyone.

I’ve been working three years with EFSS vendor to improve security of products with careful attention to usability of security functions. It took some time and resources but products are far more usable nowadays which in long-term view reduces costs related to support and maintenance + make data safer obviously.
We need more vendors take this approach seriously — simplification of security features to make it easier to adoption for users.
It’s naive and foolish to expect all users to be security savvy. Sooner security folks understand that regular users have no interest in becoming security experts, it’s better. We need to adjust our software to the reality and reality is that regular users don’t give a crap about complex security features and pay very little attention to data security — unless you train them to think otherwise.
And yes, you can — you actually should — educate your users/employees.

Security awareness is getting better but it’s still low in the society and vendors alone can’t solve that problem for good. Users got used to ready out-of-the-box products and they are so enthusiastic about all those great productivity features, they don’t bother much about other things. Times have changed and we need to tweak that beautiful and idealistic mindset. Bad guys are out there and want your data more than ever before.
As much as I believe that software should be simplified, the IT department on the customer side plays a huge role in this game.
We’re far from having a simple switch to make software ideal for each and every company. Staff on consuming side need to learn how to optimize it and then educate all users within their company.

This is real guys, this problem is out there, vendors are working on it — at least some of them — but till(if at all) we get to the point when security features are easy to use, you need to secure your resources in meantime by learning how to configure apps up to your needs and propagating that knowledge.

In the past 5 years I’ve been working in many roles which gives me a big picture perspective on this topic. It takes time and money to educate users but it’s worth it.
During pentests it didn’t happen just once or twice that customer network was solid, but they were using misconfigured 3rd party tools which granted access to the data or network(case of on-prem appliances).
I’ve been also working as a security architect/engineer in companies providing software and I’ve seen loads of support tickets from confused users who didn’t know how to use security features. I’ve seen statistics of how often security features are used and that was disappointing.
Before IT department was well formed in one of the companies I’ve been working for, I’ve been a point of contact for all security questions related to 3rd party software used internally. That’s about 300 employees and you may have no idea how basic some questions were and how many problems people have with the software.
You can see the scale once you start auditing setup of tools in your own organization, especially if you focus on less techy groups like HR, sales, marketing, etc. And don’t get surprised if a depression comes right after it.
I’m also a user after all, and it does happen to me either that some software has so badly integrated security features that I switch to the competition to save my time and energy.
Doesn’t sound like a profit, when people find your software so annoying that they quit, right?

The problem is widespread and affecting people of all professions so I decided to try to poke the industry a little with this article.

Long story short:

A lot of software instances and accounts are not well secured because users find security features to be too complex and hard to understand without good tutorials — and these rarely exist.

World is not ideal, products are far from being intuitive and completely secure by default, but it’s not a status quo that must last forever. If vendors and consumers put some work together, the world can quickly become a safer place at low cost. Waiting for the problem to disappear without taking action on both sides won’t get us far.

If you are a software vendor:

  • simplify security features and bring them to regular human beings
  • create easy tutorials on how to take advantage of security measures available in your product
  • describe potential pitfalls that are specific to your software
  • collect the data on security features usage, find out what are the popular mistakes your users make and fix it by making it even simpler and/or by providing an educational article to your users

If you’re working in IT department and your company uses 3rd party products:

  • ask software vendor for security tutorial/checklist and educate your users how to use the software safely
  • gather feedback from your users, e.g. with short surveys and then pass most problematic cases to the vendor
  • audit your software setup to assess how safe is your company and take appropriate action to improve your posture

To be a good example myself, I provided a guide on using EFSS solution, describing the most common pitfalls and users mistakes. I feel like it doesn’t fit medium’s content so I’ll just provide a link to my blog in case you’re interested in that EFSS safety tutorial: https://infosecremedy.blogspot.com/2016/07/how-to-safely-use-efss-solution.html

Published by Dawid Balut

DevSecOps Leader, author of "Social Skills For Information Security Professionals: A Handbook For Those Who Want To Lead And Manage Effectively".

Published

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.