Endpoint

12/5/2018
10:30 AM
Ira Winkler
Ira Winkler
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

The Case for a Human Security Officer

Wanted: a security exec responsible for identifying and mitigating the attack vectors and vulnerabilities specifically targeting and involving people.

It is clear that end users are a major, if not the primary, attack vector for most significant attacks. Whether using phishing, traditional social engineering, or physical compromise, sophisticated attackers know that it is easier for them to find a successful entry point into an organization by targeting users instead of by probing for technology weaknesses. As important, well-meaning users cause more damage in aggregate than malicious parties ever could. In response, there is a focus on trying to make users more resilient through awareness.

The reality is that this works to an extent, but more is required.

Technology is in place to stop user actions in advance, as it should be. In the safety field, it is believed that around 90% of workplace accidents are avoided by creating an environment that prevents employees from being exposed to situations where they can be injured. For example, in one factory where employees were frequently struck by forklifts, they painted a line down aisles, creating distinct walkways. This one change alone reduced almost all accidents involving forklifts. The remainder of the incidents were the result of walkers who were looking at their cellphones and drifted into the forklift because they weren't paying attention.

In the cybersecurity world, one equivalent of creating a secure environment is anti-malware software, spam filters, and PC protections that prevent users from installing software. Creating a secure environment filters out more than 99.9% of potential attacks before they can reach the user, or stops the user from causing damage. But clearly, attacks still make it through, which means awareness is still necessary to reduce the risk.

The truth is that awareness programs should focus on how users should do their jobs properly and not on what they should be afraid of. This requires a definition of proper governance. You cannot expect users to detect every possible trick, but they should at least be able to follow proper procedures in how to act appropriately.

Focus on the User
While in general most companies have some form of software to defend against attacks reaching users, some form of awareness, and something that resembles policies and procedures, these efforts are uncoordinated and haphazard. There is no focused effort to stop specific attacks or user actions.

To address this concern, what is required is a position that I call the human security officer (HSO), who is responsible for specifically identifying the different attack vectors and vulnerabilities involving people. The HSO examines where problems may arise and identifies the optimal ways to prevent, detect, and respond to the attacks or user actions.

Some people may contend that this is the job of the CISO or perhaps an awareness manager. The reality is that awareness people have a very specific role and focus on providing information to people in an attempt to get them to improve their security-related behaviors. The awareness team does not have the responsibility -- and especially not the authority -- to account for all aspects of preventing and mitigating vulnerabilities. The awareness team should report to the HSO.

The HSO would be responsible for determining where human-related vulnerabilities exist and focus on a coordinated method for mitigating the vulnerabilities. This would involve an examination of underlying business processes and the determination of the best combination of technology operational processes that most effectively mitigate vulnerabilities. The HSO would then ensure that the awareness team focuses on ensuring that the awareness program primarily addresses how people should perform their jobs correctly.

While it would be good for a CISO to take on the role of an HSO, in any company of reasonable size, the CISO has a team of people to whom she can delegate responsibilities. Much like there are individuals reporting to the CISO responsible for network security, incident response, and governance, there should be an HSO specifically responsible for all aspects dealing with human-related vulnerabilities. The role should be treated distinctly and go well beyond the traditional awareness roles.

Related Content:

Ira Winkler is president of Secure Mentem and author of Advanced Persistent Security. View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
UdyRegan
50%
50%
UdyRegan,
User Rank: Apprentice
12/18/2018 | 2:20:35 AM
Humans over Robots.
I would personally always prefer somebody human attending to my needs. But of course, the way that the world is progressing these days, it seems like automation is the only way to go to keep costs down. We'll have to see. I don't think that they'll really be that much more effective given a human has to program the bots and automated systems to begin with...
NathanDavidson
50%
50%
NathanDavidson,
User Rank: Apprentice
12/11/2018 | 10:32:59 PM
Personal experience
I have heard a story from a family friend that there was a candidate applying for a similar role who was perfect for that position and was hired on the spot. It was because of the personal experience that he shared with the company which moved the hiring department to act right there and then so as not to lose him. He told them that he just got out of prison for hacking a company that happened to be the competitor of this hiring company. That's how it works I guess when it comes to the security sector. If you had done it before, it goes to show that you have some great skillsets.
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
2019 Attacker Playbook
Ericka Chickowski, Contributing Writer, Dark Reading,  12/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
[Sponsored Content] The State of Encryption and How to Improve It
[Sponsored Content] The State of Encryption and How to Improve It
Encryption and access controls are considered to be the ultimate safeguards to ensure the security and confidentiality of data, which is why they're mandated in so many compliance and regulatory standards. While the cybersecurity market boasts a wide variety of encryption technologies, many data breaches reveal that sensitive and personal data has often been left unencrypted and, therefore, vulnerable.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-19790
PUBLISHED: 2018-12-18
An open redirect was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9 and 4.2.x before 4.2.1. By using backslashes in the `_failure_path` input field of login forms, an attacker can work around the redirection target restricti...
CVE-2018-19829
PUBLISHED: 2018-12-18
Artica Integria IMS 5.0.83 has CSRF in godmode/usuarios/lista_usuarios, resulting in the ability to delete an arbitrary user when the ID number is known.
CVE-2018-16884
PUBLISHED: 2018-12-18
A flaw was found in the Linux kernel in the NFS41+ subsystem. NFS41+ shares mounted in different network namespaces at the same time can make bc_svc_process() use wrong back-channel id and cause a use-after-free. Thus a malicious container user can cause a host kernel memory corruption and a system ...
CVE-2018-17777
PUBLISHED: 2018-12-18
An issue was discovered on D-Link DVA-5592 A1_WI_20180823 devices. If the PIN of the page "/ui/cbpc/login" is the default Parental Control PIN (0000), it is possible to bypass the login form by editing the path of the cookie "sid" generated by the page. The attacker will have acc...
CVE-2018-18921
PUBLISHED: 2018-12-18
PHP Server Monitor before 3.3.2 has CSRF, as demonstrated by a Delete action.