Are Barbed Wire .gifs Actually More of a Target for Hackers than Corporate Systems?
Today's question comes from Mr. Richard Fader of Perth Amboy, NJ:
“I use Tumblr to share animated .gifs of barbed wire fences on windy days, and Tumblr just notified me I could now use “two factor” login with text messages to my iPhone, instead of my standby “Password123” password. Twitter, Facebook and Google apps have all done the same thing, but at work I’m still using “Password123” until they make me change it to “Password234” and so on.
What’s up with that – are my barbed wire .gifs actually more of a target for hackers than our corporate systems??”
Good question, Mr. Fader – and I hope the Polar Vortexes that have been dumping tons of snow on NJ have given you many interesting barbed wire photo opportunities.
Back to your question: Have you also noticed that your iPhone and iPad never seem to get viruses, yet the PCs at work seem to get them very regularly? That’s because you can’t load an application on those devices simply by clicking on a file someone emailed you, yet at work you can.
An odd thing is happening here. IT and security managers are absolutely convinced that users will never accept necessary security controls, like strong authentication and application whitelisting on their PCs even though those same employees are happily using “two step verification” and “App Stores” from the consumer grade products and services they use at home – and that they want to use at work!
Here’s the problem – to illustrate, let me ask you something, Mr. Fader: are you using your iPhone to take those barbed wire photos?
Mr. Fader: Yes, sometimes my iPad, too. Why – is there a problem with my photos?
No, not at all – but if you were to ask your IT or security manager what you should be using to take those pictures they would recommend a $400 digital SLR camera with extra batteries and a 2 hour photographer’s online awareness course to learn how to use it. They would explain all the bad things that would happen if you didn’t use an enterprise grade camera – as fast as you could say “Clem Kaddiddlehopper” some Chinese APT would whisk your photos off to the Physical Security Division of the People Liberations Army in Building 3a. They would even show you pictures of this scary building!!
You see, they tried to make you use a SecurID card to have “secure authentication” but you hated having to carry yet another thing and lost it or threw it away - after scraping the Polar Vortex off your car’s windshield with it. They liked those SecurID cards because they are much stronger than that text message Tumblr wants you to use as a second factor. They also tried to only give you admin privileges on your PC, or install a very limited whitelisting control, so you could only load software IT thought you needed, because that is more secure that trusting the hundreds of thousands of applications in an App Store. Users rejected those approaches – much the way you would reject Governor Christie telling you to use that complex camera to take your barbed wire shots.
There is a ray of sunshine, Mr. Fader. I mean that literally, as it is now almost April and we probably won’t have more than another foot or so of snow on the East Coast before we jump immediately into an excruciatingly hot summer. But also figuratively: as more companies are forced by the “Choose Your Own IT” trend to deploy those “consumer-grade” products and services, they will be moving towards using Two Step Verification and App Stores and other advances in security that aren’t quite as strong as they’d like, but which actually work and which users actually use. This will be good for the business and for its customers.
Happy Tumblring, Mr. Fader!