Few people understand the yearning for a security panacea like I do. After all, I've been a security consultant for 25-plus years -- I wish there was a magic solution! That way, I wouldn't have to keep repeating myself and telling clients to take care of the basics over and over. They never do, so I keep talking until I'm hoarse.
Nevertheless, the security industry keeps coming up with solutions that masquerade as magic bullets. In fact, the five defenses I describe here all have value -- but none of them are game-changers, despite the heavy hype. Here's why.
[ Verse yourself in 10 crazy security tricks that actually work. | Find out how to block the viruses, worms, and other malware that threaten your business, with hands-on advice from expert contributors in InfoWorld's "Malware Deep Dive" PDF guide. | Keep up with key security issues with InfoWorld's Security Central newsletter. ]
Security dud No. 1: Two-factor authentication
Rarely a week goes by without a service provider mentioning it now offers two-factor authentication (2FA). This includes a who's-who in major service offerings such as Amazon Web Services, Dropbox, Facebook, Google, and Microsoft, to name a few. Better authentication can't hurt security, but it isn't a panacea for our larger computer crime issues, despite the legions who appear to believe that 2FA alone can save them.
What 2FA does well is it prevents someone who's not using the device you're using pretend to be you. Got that? If you require 2FA to use a particular service and the bad guy hasn't compromised your endpoint, then it will be harder for the bad guy to pretend to be you from an alternative location or device.
Unfortunately, most computer crime is committed by bad guys who've compromised the victim's legitimate device by taking advantage of unpatched software or inducing the user to unknowingly execute a Trojan. Call it a man-in-the-endpoint attack.
Attackers then use the user's legitimate access for bad acts. Unfortunately, 2FA can't change that; in fact, 2FA has been shown to be useless in endpoint attacks over and over. Sophisticated banking Trojans have long stolen the entire balance out of citizens' bank accounts, even if they had 2FA enabled. APT hackers don't care about 2FA; they've been working around that problem for more than a decade.
The scenario goes like this: The bad guy exploits the legitimate user's computer, often through unpatched software or via Trojan. The user logs in using 2FA to their computer or remote service. The bad guy then piggybacks on that legitimate, authorized access to do malicious things.
Security dud No. 2: Biometrics
Biometrics is discussed in reverent tones, as if retina or fingerprint scans were sacred. But biometrics suffers the same problem as 2FA. First, exploited endpoints fare no better with biometrics than with 2FA. Bad guys love authenticated log-ons and don't care how they get there. If they can use a highly trusted, authenticated log-on, so much the better.
But the other reason why biometrics aren't the ultimate solution (ignoring the huge percentages of false negatives) is due to the second shared issue, one of the authenticator. The authenticator is the object used by the access control mechanisms to identify and authenticate a subject -- that is, a user, computer, service, and so on. Your eye's retinal capillaries may be used to uniquely identify you to a particular computer system or directory, but behind the scenes, that cool-looking retinal scan is turned into a bunch of boring bits and bytes.