People are attracted to the security industry for a lot of different reasons, with one of the more common ones being that there a lot of cool problems to work on. Smart, creative people enjoy working on complex projects and there are more than enough of those to go around right now. Encryption, APT defense, threat intelligence, and many other problems are attracting some of the brightest minds in the industry right now.
As important as those issues are, one of the biggest problems facing the security community is that many people still aren’t taking care of the fundamentals. You can have all the fancy blinky boxes and sophisticated intel feeds in the world, but if your users are still opening attachments in phishing emails and reusing passwords it doesn’t make a lot of difference. You’re still getting owned.
“What’s the biggest problem in security? It’s password reuse and nothing else is close,” Alex Stamos, CSO of Facebook, said at the Enigma conference this week.
People know that reusing passwords across different accounts is a terrible idea, but a lot of them do it anyway. Mostly that’s because it’s the easy choice, and humans are pretty lazy creatures, so the easy choice often wins. Password managers help with this, but some of them can be difficult to use and if you lose the master passphrase, it’s game over. But the potential consequences of reusing a password--even a complex one--are equally disastrous.
Attackers know that people use the same password over and over, so if they’re able to get a user’s credentials for one site or service, their next move is to see if the password works on email, Facebook, Twitter, a banking site, or other high-value targets. That can start a chain reaction that leads to the victim’s entire online life being compromised. These are all things that security researchers and professionals have known for a long time. Password reuse is a well-understood problem, but it’s still a problem, albeit a boring one. And the thing about boring problems is that they’re boring. People don’t get super excited to work on those.
But the need for a good solution is still real. It might be a lot more interesting to develop a new cryptosystem, but making security easier for non-technical users is a serious challenge.
“In general, leave crypto to the experts and worry about the other things. I feel like we’re spending too much time on that and not on making security usable,” Parisa Tabriz, one of the top Chrome security engineers at Google, said.
“We need more people working on the mundane security things. We still have a really long way to go but it’s important for researchers to not just try to get the really large headlines. We need to embrace the mundane and the best practices of security.”
Fundamentals are there for a reason. They’re the foundation upon which the rest of the security infrastructure is built. If the foundation is weak, then the rest of the house isn’t going to stand much of a chance. And that’s where we are right now, after decades of advances and technical evolution. Doing the basics may not be exciting, but if we don’t get those right, the rest of it won’t matter much.