Too many people don't take the time to read with an open mind or think things through. These failures can lead to security mistakes.
On the 12th of February, my article 10 tips for personal security when you leave an employer was published. It was a follow-up to my previous 10 important categories of employment transition security article, and addressed the other side of the employment transition security coin. It was also, apparently, one of the most popular recent articles here in TechRepublic's IT Security Weblog.
In that article, I discussed the following tips for personal security:
- Don't violate company policies.
- Don't log instant messages.
- Use encryption for private communications.
- Don't trust everything to encryption.
- Don't bring your private encryption keys to work.
- Protect your private IM and email passwords.
- Don't store browser history or Website passwords not directly related to work.
- Use encrypted proxies for private browsing.
- Don't store the sole copy of anything important at work.
- Never give your employer reason to distrust you.
Houston, We Have a Problem
A couple of readers who responded in comments made it clear that they thought I was being irresponsible, advocating for people to violate company policy — which could cost their employers a lot of money and get themselves fired. This impression that I advocated violating company policy was apparently predicated entirely upon item number 8:
Use encrypted proxies for private browsing.
I keep catching myself thinking "Was I not clear enough? I know I mentioned that people should not violate company policy, but maybe things were written in such a way that people thought I presented that list item as an exception to the general rule."
Every time that occurs to me, I go back and read the article again, and I am reassured by what I see.
1. Don't violate company policies.
There's the very clear first item on the list, fairly unignorable, and number 1 in the list for a reason. It says, unequivocally, that you should not violate company policy. Hopefully, the point here was made that the rest of the list should be interpreted as being restricted by this. I know many more of my readers who responded in comments expressed an understanding that the list items should not be taken as advice to violate company policy than the number of commenters who thought any of it should.
8. Use encrypted proxies for private browsing.
If you take that in a vacuum, it might seem like it exhorts one to do something that, in some offices, is against company policy. However:
- Not all companies have a policy against this, contrary to the evident beliefs of one or two of the people who commented. In fact, some companies encourage security measures like this for certain tasks. Yes, really. More to the point, an SSH proxy (which I specifically mention as a means of using an encrypted proxy) wouldn't even be possible without at least tacit approval for using SSH, since you first have to have it installed on the system. MS Windows still doesn't include any standardized, peer-reviewed, strong encryption protocol implementations with a standard install other than in email clients and Web browsers, last I checked.
- The context of the article as a whole is littered with hints that the advice in the list should only be taken insofar as it does not violate company policy.
- This list item specifically cautions people against using encrypted proxies where they aren't sanctioned! It says:
The advisability of this may be open to question, however, as any encrypted proxy traffic may appear suspicious to a very watchful netadmin, and you may have to explain why you have near-constant encrypted traffic streaming to some off-site computer outside of your normal duties at work.
10. Never give your employer reason to distrust you.
Just to drive the point home, I included a more generally applicable warning against behaving in a manner your employer might not like to close the list.
Even after the list closed, I felt it important enough a point that I made it again in the closing paragraph of the article, using yet another formulation, yet another perspective, and yet another argument. If the previous two and a half instances of cautioning people against violating company policy and/or giving any hint of compromising the security of company resources were not enough, hopefully making a final statement the reader to take with him or her self when finished reading — a statement that reiterates the point in yet another way — would end any doubt about the importance of avoiding such conflicts of interest:
Finally, always remember that in many ways your employer's security is also your own security, and security measures employed by someone else for his or her own benefit may prove beneficial to you, too.
Read Carefully with an Open Mind
I know that a lot of people skim a lot of things on the Internet, looking for new information. I know that quite a few skim just looking for reasons to complain, too. Which of these was the motivation for commenting about the inadvisability of encouraging people to violate company policy in each case, when I pretty pretty clearly did no such thing, I don't know.
When you see something that doesn't seem right to you while skimming, though, I hope you will all do the same thing in the future that I try to make sure I do: go back and read more carefully. When something stands out as contradicting my beliefs when I'm skimming, I don't immediately see it as a sign that someone is necessarily stupid or evil. Instead, I see it as a sign that I may have something new to learn. I take the time to read more carefully, and if there's any question in my mind about what's meant by what I read, I try to always ask what was meant if there's a convenient way to do so.
Attention to detail and a mind open to new ideas are both highly important characteristics for ensuring a decent working grasp of security principles, which is in turn important to protecting your own security. Don't let the tendency to believe you're in too big a hurry to read through something convince you that you know what you've read when, in fact, you probably didn't even notice 80% of the words over which your eyes so quickly slid.
Think Things Through
Nothing should be taken in a vacuum, at face value, without considering context and implication:
- Don't take the problem of filesystem fragmentation, in a vacuum, as an isolated performance issue — consider whether fragmentation poses a threat by affecting the performance of your security software.
- Don't take the supposed benefits of a security tool at face value — consider whether it's an interface to an architectural security characteristic of the system (e.g., true privilege separation) or just a bolted-on security "feature" (e.g., MS Windows User Account Control).
- Don't assume that everybody is always on the same page, ignoring the possible context of what others are saying — ensure that you and whoever you're talking to aren't in fact talking about different things with the same name.
- Don't assume that the fact "current technology" limits cryptanalysis effectiveness means no single entity can afford enough computing power to brute-force crack your password this century — consider the implications of emerging technologies that may be leveraged in surprising ways to provide distributed security cracking capabilities.
Read and Think
If you cannot read carefully with an open mind, and think critically about what you've read, no amount of skimming over the highlighted parts of security articles will do you very much good. It takes more than the half-second overview to really grasp new concepts and learn the value and proper use of new techniques in the complex world of security.