Resources for Federal Financial Institutions Examination Council (FFIEC)

Information security's 'worst practices': Encryption conniptions

searchsecurity.techtarget.com

Some of you recognize this as a borrowed phrase from well-known security pundit Bruce Schneier's famous essay, In Praise of Security Theater. Essentially, "security theatre" is the practice of implementing complex, expensive security measures solely for the sake of making people notice that you're spending a lot of time and energy on security, despite the fact that your controls are easily defeated and largely ineffective. For example, consider the recent FFIEC federal requirement that banks use two-factor authentication for sensitive transactions. In an effort to skirt this rule, banks added a series of "security questions" to their standard password-based login processes. As any security professionals know, the use of two "something-you-know" factors is not the true intent of two-factor authentication. So in this case, security theatre provides an illusion of security while avoiding the implementation of new IAM technologies.

View the Resource

Share or bookmarklet this web page at: