Security Behavior
by Donald Blake
Everyone hates computer passwords.
I can hardly remember last night, let alone a stupid x-length password. Depending on how paranoid and delusional the organization is, a password can be very long and require some really crazy requirements. If I remember correctly, when I was in the Navy I had a password that was 16 characters long and required a minimum number of upper case letters, lower case letters, numbers, and special characters. I believe I used some sort of vulgar language relating to how much I hated the system for making me have to create such a long password and I wrote it down in Notepad.
At work I have access to five different systems, each requiring a password. Some of them require two-step security to get access to the system.
If I was paid a dollar for every time I had to enter my username and password, I'd be able to retire! Using passwords to secure a computer network is actually silly. It's basically like having a club and all you need to access this club is the password to it.
Computer networks are expensive to build and maintain and, more importantly, the information that they contain can be critical to the organization. If the network is ever compromised or abused, then the organization's world could change drastically or come to an end.
With all the grief that passwords cause users, and knowing that an intruder can be really intelligent and have access to a lot of resources, no system can be 100 percent safe. There need to be better way to secure a computer network other than by using a password as the main line of defense.
Let's theorize. How do you have a computer system without using passwords and only a username? Is it possible? Assuming we aren't corruptible and we could sit right next to that user and watch everything the user did, then yes, we could tell if the user is using the system as intended. Let's try and replicate the ability to sit right next to the user.
We need a system that can watch users in real time. This way we can watch what they are doing and if they do try to stray, then we can stop them.
We need to know our user intimately and watch their behavior. Users don't normally access every piece of information on a computer network. They just use the network for their specific purpose. We need to keep track of the user's history and constantly compare it to what they are currently doing. We also need to keep track of their habits, such as how fast they enter commands into the system. This way, we can detect any changes in their behavior and, for an intruder to be able to use the user's account, they would have to match that behavior.
No user is an island, and the more things we can compare the user to the better. Let's organize users into groups and watch the groups' behavior. Each user in a particular group will have a similar behavior as all of the other users in the group. The users access the same files, do the same type of things, and do them in a similar way. We'll keep track of the group's history so we can make sure the users within the group are always doing the same or similar things, too. A user's behavior will match their group behavior and an intruder will now have to match the users' and the group's behavior.
No system is completely secure.
Compromising computer networks is big business these days. Organizations depend on their networks to keep them and their users alive. It's far too risky, silly, and archaic to use passwords as the main line of defense for a computer network.
A better solution is to use the user's behavior. If the users are monitored in real time, tracked in the right way, and grouped together effectively, then an intruder would have to know the user and the group the user belongs to just as intimately as the network does to gain access. Using user behavior will also stop a user from accessing things they aren't suppose to! Companies use human behavior to sell people stuff all the time.
Let's be smart and use human behavior to protect us!
Thanks for reading.
Shout out to Violet, Norah, Kayla.