Opinion: A spring cleaning for security

Computerworld - This month marks two years of "In Security." Over the past year, some of my more popular columns have dealt with data aggregation and theft, the limits of risk management, getting along with human resources, how to spot and handle rogue security staff, encroachments on personal privacy, and the humor we find in the nonsensical things we hear from security consultants and the consulted. Sometimes it's the laugh of recognition; sometimes it's the laugh right before everyone looks away nervously and changes the subject. In either case, it's worth taking a look back before considering what's next.

Get smarter

Progress happens -- though sometimes in slow motion. In response to last week's column about phishing within organizations, Rex Warren, a colleague and a co-founder of Leviathan Security, responded with a related experience, where people in big organizations sometimes forget that sometimes they need to prove their identity. He received a call recently that went something like this:

Caller: "You owe money; I'll take your account number."
Rex: "How do I know you're not a criminal?"
Caller: "I'm not a criminal."
Rex: "A good criminal wouldn't acknowledge being a criminal. In fact, a dumb one wouldn't either."
Caller: "I know your secret authentication information."
Rex: "That proves it's me, not you; how do I know you didn't steal that information?"
Caller: "I'm not a criminal."
Rex: "We've been over that."

How would you make that system work, exactly? Think less tech and more "do unto others." While generally impressed with my own credit union's variable risk-based identification and authentication processes -- this past year, they started asking more authentication questions for transfers than for lower-risk balance inquires, for example -- it would be nice to receive a periodic mailing with a list of authenticators or secret questions I could ask them. This would be useful in the unusual case where they contact me about errors, suspected fraud or other problems. The technology is available; maybe we'll see more implementations next year.

Continuing the thinking-trumps-technology theme, more and more, enlightened managers and educators realized over the past year that filtering software pushed by the likes of SurfControl and Websense doesn't work. It's not because the technology can't pick out words or URLs, but because employees and children intent on pursuing blocked content usually can find a way to retrieve it.

For example, Google arguably performs the foremost and broadest research into filtering. Yet the flexibility provided by search and proxy tools to bypass other filtering systems easily surpasses the sophistication of Google's own SafeSearch technology. Technology doesn't fix social and behavior problems, and filtering is eventually destined to head the way of prohibition, dance-hall bans and the V-Chip.