***I Didn't Mean To Do That
By Mitch Wagner
Editor, Security Pipeline

Sometimes, when I review the past week of stories for my
newsletter, a theme jumps out, tying together many of the
major stories. This week, the theme is unintended
consequences.

The Law of Unintended Consequences is an idea popularized by
then-Congressman Newt Gingrich, during the Republican
Revolution in 1994. The idea goes like this: legislators enact
a law or policy with a benign intention, but the long-term
consequences of that action are often bad. They often make the
original problem worse.

Now, you may disagree with Gingrich and the Republicans. You
may be an ardent Blue-Stater. But, still, the Law of
Unintended Consequences has great merit.

Let's use an example from within IT -- from within the pages
of this week's Security Pipeline, as a matter of fact. Herbert
Lovelace, a chief information officer and pseudonymous
columnist for our sister publication, InformationWeek, writes
about an encounter with his company's security officer, trying
to get the security officer to change a policy that requires
users to change passwords frequently and use difficult-to-
guess passwords.

Who could argue with that? Good password hygiene is the first
thing they teach you in computer security school, right after,
"No, Nobody From Nigeria Sent You Any E-Mail (Unless You're
Actually Nigerian, Or Know Someone Who Is)." Well, the problem
(as Lovelace writes) is that the company policy is too strict,
requiring too many password changes too frequently, and making
it too hard to select usable passwords.

The predictable result, says Lovelace: To avoid forgetting
their passwords, users write them down. Hackers find the
written-down passwords. The strict security policy has the net
effect of making things less secure, not more.

That's an unintended consequence.

Based on the security officer's description of his job, I
wonder if he really understands what it is he's supposed to be
doing. The security officer describes his job this way: "to
ensure the strongest system security possible." The job of a
security officer is actually a little trickier than that: to
maximize security while also maximizing productivity and
minimizing costs.

The overzealous security officer seeks to maximize security,
but in doing so, makes the system hard to use so that users
circumvent security to get their jobs done, or don't do their
jobs and the company suffers. That's more unintended
consequences.

For example, Dave Molta writes, in an article about providing
wireless network access to visitors, that his department
frequently violates corporate security policy to allow
visitors to hook up. "We accommodate on one of the [access
points] in the lab, often in an ad hoc manner that likely
violates university policy. To provide visitors with official
wireless guest access would require us to file a formal
request in advance and be provisioned with a sponsored guest
account. Oh, what a pain."

Molta demonstrates that, if you set overly stringent security
policies, and your users don't know why those policies are in
place, the users will violate the policies. Maybe worse: they
won't even give it a moment's thought. They won't even go to
the trouble of sneaking around. They'll just blow off your
policies and do whatever they think they need to do to get
their jobs done, and they won't care who knows about it.
Molta's staff violates the policies and he doesn't even care
if he tells people about it in an article that can be read
anywhere around the world.

Does that sound like your job is hopeless? It's not. You have
a very powerful tool on your side: Persuasion. If you can
demonstrate to your users that your policies are useful,
suddenly every reasonable person in the company will be your
ally and deputy.


Wave Comment

Mitch Wagner’s newsletters are insightful and educational, as
well as entertaining. They are sponsored by VeriSign. It is
strongly recommended that you sign up for a free subscription.
A sample of items in the most recent issue include:

Top Security News
- What's Next For Internet Explorer 7.0?
- Microsoft "Refreshes" Anti-Spyware Tool
- Microsoft Patches "Blue Screen Of Death" In Windows XP
SP2
- More News...

Editor's Picks
- Blog: Man With A Death Wish
- Making Your Wi-Fi Guests Feel At Home
- Rob Enderle: You Are Your Worst Security Liability
- More Picks...

Voting Booth: Priorities

Get More Out Of Security Pipeline

Manage Your Newsletter Subscription

www.SecurityPipeline.com




Wave Issue 0509 3/4/05 Article 12-01