Security is a chain; the chain is only as strong as its weakest link. The chain extends a long, long way. The kinds of things involved in the chain include (in no particular order), the server software, server hardware, client software, client hardware, backup tapes, LAN, WAN/Internet, wireless networks, backup tapes, passwords, people peering over your shoulder, and the actual users of the system. The latter is generally the weakest part of the chain.
But before we get to that, a diversion to the server side. We recently purchased a subscription to an online service for our school. I didn't have any part in the evaluation of the product, but looking at it once connected, soon saw that the administrator user could see all users' passwords. Fail. Passwords on the server should never, but never be recoverable. The reasons for this are plastered all over the Internet, and relevant literature; I won't go into them here. Additionally, the server did not use an encrypted connection to accept passwords; the password went in cleartext from client to server. Two major security flaws in the one product does not provide much confidence in the designers of the product. What other holes are there in the product, waiting to be exploited? I'll bet little Bobby Tables is just waiting to get in there. The designers of the software might think security holes will only affect their system; they'd be wrong. Password re-use is rampant; an exploit of one site will likely lead to other accounts being compromised.
So, if web-software designers (of quite a popular product in the education sector, I might add) have virtually no idea of basic security principles (I certainly don't recall learning any of that in my Computer Science and Computer Engineering courses), what do we expect of the end-user? We might tell people not to re-use passwords, but who's going to remember a unique password for every site they register on? It's just not going to happen. There has been much discussion on this topic of late, brought on by this comic.
The end-user is (usually) the weakest link in the chain, being human, and in all likelihood, having no idea about security principles. And there are two things (or lack thereof) that make them the weakest link: Usability and education.
Usability in Security: The people who implement security are generally nerds who know a hell of a lot about security. Unfortunately, they don't tend to know much about usability, or user experience (UX) as it's now known. That's a broad, sweeping statement, and I'm sure there are plenty of counter-examples, so apologies to those unfairly tarred by that brush. But any technical security must be balanced with usability. There is no point having a complex password requirement, and resetting passwords regularly if the user won't remember them: they will just write the password on a sticky-note, stuck to the screen. The computer-side security might be strong, but the user has just shifted the security hole beyond the reach of the computer. Users will always find a way to do this. Nothing can be idiot-proof, because idiots are so ingenious.
Security in Education: We do not teach security anywhere. There might be mention of it in the Victorian curriculum, but in passing. Most schools do not have a separate IT subject anymore; the trend has been to integrate it into other subjects. Most teachers I know know less about security than the students they teach. There needs to be some expertise in teaching this, which is currently not being met. The Hacker High School project attempts to cover this, but is excessively technical, and perhaps with an ill-thought-out name. Where are people expected to learn this sort of thing? From the occasional email that the bank sends? Does anyone actually read those? You might think that banks would be interested in getting this into the curriculum, given that they tend to be the primary target of this sort of thing. Perhaps we need to form some partnerships with them.
Perhaps biometrics (fingerprint scanners, iris scanners) will fill in some of these holes, but even they require the hardware to be fully trusted, which is difficult when dealing with user-owned devices. A fully networked world will be full of exploits until that weakest link is somehow strengthened. (Bruce Schneier's upcoming book on security from a societal perspective should be interesting).
