Network Security: Confidentiality vs. Availability
In the IT security world, there is a constant tension between the need to keep information confidential and the need to have it readily available. These form two of the vaunted three legs (the other being “integrity”) of every security practicioner’s model.
One of the reasons these two concepts seem to be at odds has to do mostly with what actions a system takes when a failure occurs. There are two types of failure results for every test: false positives and false negatives. When it comes to biometric security, these are typically referred to as Type I (authorized person rejected) and Type II (unauthorized person accepted) instead. The question in information security is often viewed as “are you an authorized person” which helps map false negatives to Type I errors.
A simple example should suffice: if a user has forgotten a password to a website, they may be asked to complete a short quiz before having their password reset. This reset quiz may have a picture of some animal, along with a drop-down box asking what type of animal it is. If a valid user identifies the animal incorrectly because their fingers slipped, it would be a false negative, or Type I error. If a malicious user was attempting to gain access to the user’s password, and correctly identified the animal, it would be a false positive, or Type II error.
The problem, as it turns out, is that many security professionals tend to focus on Type II errors. Complex password requirements, two-factor authentication and other security measures all tend to focus on preventing the bad guys from getting in. By contrast, users (and the businesses that serve them) tend to focus on Type I errors. Password reset mechanisms, local administrator rights and other privilege escalation mechanisms all focus on keeping the customer happy when a Type I error occurs.
Type II errors make the headlines, but Type I errors can cause great anguish to individuals. The classic statistical case of a rare but incurable disease makes this easy to see: if it only affects 1 out of 10,000 people, and I take a test that has a 1% Type I error rate along with 1,000 other people, then 10 people will end up having a false positive reaction. If I am one of those 10 people, I’ll think I’ve definitely got the disease, but in reality, I’ll have a 99% chance I’m perfectly fine. The result? Ten angry people.
At New Signature, customer service is our primary focus. How then, do we balance these competing interests? We’re not dealing with matters of life or death, but users will still grow angry if we have a large number of errors, either way.
If a user calls into New Signature and asks to have a password reset, we utilize a variety of methods to verify that the caller is indeed who they claim to be. If these methods are onerous or cause a delay, we’re also quick to explain to the user why the delay is occurring. Often, merely the act of explaining how the verification process works can defuse tensions.
As an example of the second case, several confidential documents were stolen from Twitter employees. The full attack method was fairly lengthy, but it’s a classic Type II/false positive technique. By gaining access to a series of email accounts on the internet, the attacker was able to eventually escalate up and gain access to private information. If proper safeguards had been in place (restricting access to internal documents to limited personnel, isolation of critical resources from internet access, audit alerts when documents are accessed) the attack would not have succeeded. Would Twitter have still been able to conduct its internet-centric business had the restrictions been in place? Certainly.
There is, then, no magic bullet. The best method to avoiding Type I errors is to ensure the process is well-documented and known. If a user calls in from a cell phone with a password reset request, and knows we’ll call our point-of-contact back at their office number, they won’t mind waiting for us to confirm it is who they claim to be. Likewise, there are many technologies in place that can reduce exposure to Type II errors without hampering the ability to do business. We’ve been able to implement secure, available solutions for clients of all sizes while still maintaining a high level of customer service.