double shot of snake oil, good conclusion

Tal Garfinkel talg at cs.stanford.edu
Fri Mar 7 15:26:29 EST 2003 

On Thu, Mar 06, 2003 at 09:38:25AM -0800, Ed Gerck wrote:
> 
> 
> Tal Garfinkel wrote:
> 
> > The value of these type of controls that they help users you basically
> > trust who might be careless, stupid, lazy or confused to do the right
> > thing (however the right thing is defined, according to your company
> > security policy).
> 
> It beats me that "users you basically trust" might also be "careless, stupid,
> lazy or confused" ;-)

That's security in the real world. You screen employee's based on their
character and competence at the task you hired them to do, you typically
don't rigorously drill them on security procedures, and even if you do
most folks get lazy, careless or confused at some point. 

Example: If an executive is told by the security bozo down the hall that
they should not print out sensitive documents, they might take it
seriously, but then again they can make excuses for their laziness,
"he's just being paranoid", "I want to read this report in bed, it won't
hurt this one time",  etc.  On the other hand, if they have to do
something like break out the digital camera, it should be pretty obvious
to them that what they are doing is in pretty severe violation of
company policy, will likely get them severely reprimanded if caught, and
will likely obviate any convenience benefits they might have hoped to gain
by having a hard copy of that document. 

I think experience with password security is a perfect example of a the
principle at work here, if you make it convenient to do the wrong thing,
people almost certainly will.

> Your point might be better expressed as "the company security policy would
> be followed even if you do NOT trust the users to do the right thing."
> But,
> as we know, this only works if the users are not malicious, if social
> engineering cannot be used, if there are no disgruntled employees, and
> other equally improbable factors.

Ok, so there are only two issues here. One is problems with intention
(are they mallicous or not, this includes disgruntled employee's etc.)
and the other is problems with competence (can they be relied upon to
always follow procedure). In the former case, document control will
probably only serve as a mild deterrent, but raising the bar doesn't
hurts. At least you might have the chance to catch some employee trying
to photo many pages of your sensitive data off their screen. In the
latter case, document control can help quite a bit, and can serve as a
deterrent against things like social engineering. 

Also, it seems you are assuming that all internal attackers have equal
access to information, this is not the case. If employee's can make
print outs and accidentally leave them lying around, throw them away,
etc. it lowers the bar for an unprivileged internal attacker. At least
if everything stays in electronic form a mallicous employee may have to
attempt to tackle you computer systems access controls head on instead
of simply rooting around in your desk.

Clearly, document controls are not a silver bullet, but if used properly 
I believe they do provide a practical means of helping to restrict the
propagation of sensitive information.  

--Tal

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list