2

I have a homework question that suggests that applying security and usability best practices isn't enough to create a secure and usable system. What am I missing? Why isn't this enough?

If I follow usability best practices will I end up with a usable system? I think yes.

If I follow security best practices will I end up with a secure system? I think yes also.

So what am I missing?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Amy
  • 23
  • 4
  • 1
    For the vast bulk of people and organizations, applying fully modern best security practices would reduce their security-related risks to very modest levels. (The remainder face threats that have the highest-end, most sophisticated capabilities or protect assets that must be secured from compromise to the highest degree of assurance humanly possible.) Alas, the number of people/organizations that actually robustly implement best practices is much, much, much lower. – mostlyinformed Jan 22 '17 at 05:48
  • 2
    Homework usually has some relation to things you've got teached before. This could be the missing context. – Steffen Ullrich Jan 22 '17 at 11:26
  • 1
    You can't just throw together a few design patterns to build working software. – CodesInChaos Jan 22 '17 at 13:35
  • @CodesInChaos well, to be fair, you *can* but what a horrible abomination it would be – schroeder Jan 22 '17 at 13:38

2 Answers2

2

I think you dropped an important word in the homework question. "Applying security and usability best practices simultaneously isn't enough to create a secure and usable system."

The concept being explored by the question is the intersection of usability and security. The most usable system is not secure, and the most secure system is not usable. If you try to be the best of both, you'll fail at one of them.

For instance, a security best practice is to use passwords. But passwords are horrible for usability. How and where do you draw the line between a secure system and a usable system?

So, the idea that I think you missed is not the idea of following best practices, but trying to follow different best practices at the same time that tend to be at odds with each other.

schroeder
  • 123,438
  • 55
  • 284
  • 319
1

The key part about technology is that it evolves.

Sure you may apply the best practices, such as:

  • Keeping up to date on vulnerabilities
  • Ensuring software and OSes are up to date
  • Checking logs for potential intruders/problems

Depending on your environment, you may also want to be proactive. This would include:

  • NIDS and HIDS (Network/Host Intrusion Detection Systems)
  • Stateful packet inspection with a UTM or "Next-gen firewall"
  • Advanced, multi-level, on/off site back ups using a GFS scheme (Grandfather, Father, Son).

Information security is about Risk Assessment, which draws a similar approach from that of business, economics, and many other fields. Zero day vulnerabilities, and the attacks that use them can not be prevented by following best practices. This should always be factored into a risk assessment, as well as other topics. To a small corporation, zero-day attacks might be too expensive to plan for and defend against. There is simply the lack of staff, equipment, or the capital (cash) to do so.

The key part to remember is that best practices should be a baseline, and by no means complete. However, there are situations that call for that to be the "good enough". As highlighted before, a SoHo (Small Office/Home Office) environment wouldn't have the resources to implement a hardware based stateful firewall. Certainly the environment should have some simple form of backups and anti-virus but should there be a plan for data loss due to a fire, earthquake, or other serious event? What about the loss of the external hard drive that contains weekly backups? Should a plan be in place for theft of the machine itself? Is there sensitive data on the machine?

There are plenty of questions that will need to be answered, and only when these get asked and potentially answered, will there be a clear understanding of whether applying security and usability best practices aren't enough.

dark_st3alth
  • 3,052
  • 8
  • 23