-Submitted by: Larry Kovnat, Senior Manager of Product Security, Xerox Global Product Delivery Group
We all have an intuitive sense of security. We don’t walk into dark alleys at night, we don’t leave our car unlocked when we park in a parking garage, and we keep our valuables in a safe place. We have an experience base that helps us make the right decisions.
We make security decisions every day of our lives, whether we realize it or not. It’s primal. Every living organism on the earth has defenses to protect the individual and the group. When threatened, more complex animals make the proverbial “fight or flight” decision. It’s wired into our DNA. No surprise then that we can make these decisions automatically and for the most part, with a positive outcome as a result.
Our nature and our experience both help to protect us when threatened and keep us safe. What does our DNA tell us about posting personal information on Facebook? What does our experience tell us about downloading a cute cat pic sent to us in a “You’ve got to see this…” email? What does human nature say about copying tax returns on the copiers at the local copy shop? Not much, obviously.
Here’s the point: Security is part of living. It’s natural to respond to and protect oneself from threats. We do it all the time, and we often don’t give it a second thought. But when it comes to computer security, we just don’t have the experience to help us very much.
Computers have only been around for 70 years or so. Personal computers date from the ‘80s, and mobile devices have been around less than a decade. That’s infinitesimal compared to the length of human existence. With limited knowledge of potential computer and mobile security threats, how do we know who and what to trust?
To illustrate how our experience can help us, let’s first consider a simple matter of physical security:
- A Xerox service technician goes on a call to a machine that is installed in a prison, literally behind bars. The prison is concerned that someone could sneak in weapons concealed on their person, so all people entering the cell block are required to pass through a metal detector. It used to be the case (since corrected) that the tech was asked to put their tool bag up on a shelf to the side of the detector, walk through, and then pick up their bag from the other side of the shelf. The bag was not inspected by the guard. The security flaw is pretty obvious in this example.
Now, here’s a computer security example, one we could face on any given day:
- I’ll keep it simple… well, maybe not. An executive, first name Dan, from a large financial institution gets an email. “Hi Dan, you don’t know me. I got your email address from LinkedIn so I could send you this picture. My daughter plays volleyball for another school. I was at her game the other day when they played your daughter’s team and I got a great shot of your daughter making a terrific block. Enjoy.” Is it safe to click on the link to the picture? What do you think?
Let me know your thoughts and we can analyze the situation next time.