Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

3/1/2019
10:30 AM
Ira Winkler
Ira Winkler
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Security Experts, Not Users, Are the Weakest Link

CISOs: Stop abdicating responsibility for problems with users - it's part of your job.

There are countless articles, conference speakers, panelists, and casual conversations among IT and security personnel lamenting that users are the weakest link in security. The claim is that no matter how well you secure your organization, it takes just one user to ruin everything. While there's no doubt that a user can take down these "experts'" networks, the problem lies not with the user, but with the experts.

As I wrote in my previous column, user actions are expected and, most importantly, enabled by security staff. The problem with the expression "the users are the weakest link" is that it abdicates responsibility for stopping problems. Security professionals may believe that they did everything they could, but they're really just giving up.

All a Part of the System
Here is what's critical: Users are a part of the system. They are not accessories. They serve a business function that requires interaction with your organization's computer systems. To determine that a part of the system — users — will always be insecure and there is nothing that you can do about it is a failure on your part.

Consider just about any other discipline within an organization. Accounting has processes in place to deal with the expected human actions involving financial mistakes and malfeasance. You do not hear CFOs declare that they can't keep accurate financial records, because users are the weakest link. COOs don't say their organizations can't run effectively, because they have humans involved in operations. Any CFO or COO who made such a claim would be rightfully fired, because they are responsible for their processes, which have humans as a critical part of those processes and they must figure out how to effectively manage those people.

CISOs who cannot figure out how to effectively manage humans using systems they are responsible for protecting should be disciplined, if not fired, for proclaiming they are failing to deal with a critical aspect of their systems. Just as systems have to be designed to protect from the expected external hacking attacks, they must be designed to protect from expected user actions.

One critical aspect is that security professionals seem to believe that the solution to deal with human mistakes — and remember this doesn't deal with intentional malicious actions — is awareness training. But the reality is that although awareness training can be valuable, it is not perfect. This reliance on an imperfect countermeasure is behind the negligence in proclaiming users the weakest link.

Security professionals must realize that while awareness reduces the risk, their job is not finished. First we must consider that most awareness programs are poor. From experience, observation, and research, most awareness programs are not achieving their desired goals in creating strong security behaviors. Even assuming they could, security professionals would still need to create comprehensive programs that implement the supporting processes and technical countermeasures. This would account for both the inevitable user error as well as the malicious actions.

However, instead of security professionals acknowledging that they have failed to account for expected user failings or malfeasance, they blame the user. That is unacceptable.

While one my previous columns described the need for a human security officer to address the users from a comprehensive perspective, in short, you need to have a process in place that looks at potential user failings regarding:

  • What are critical processes or likely areas where users can create damage?
  • Analyzing and improving the processes to remove user decision-making, or specifying how decisions should be made, if they cannot be removed.
  • Implementing technology that prevents the opportunities for users to cause damage, as well as technology that mitigates damages if proactive measures don't work.
  • Developing awareness programs that focus on informing users how to make decisions and do their jobs according to the established processes.

Just as CFOs and COOs cannot simply state that the user is the weakest link to justify failures in the processes that they oversee, the CISO cannot blame users for failures in security processes. The user is an embedded component of organizational computer systems, and it is negligent not to put in a set of comprehensive countermeasures to prevent, detect, and mitigate the anticipated failings of that component.  

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Ira Winkler is president of Secure Mentem and author of Advanced Persistent Security. View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
paul.dittrich
100%
0%
paul.dittrich,
User Rank: Strategist
3/1/2019 | 11:28:44 AM
A badly-flawed analogy
Using CFO or COO as an example of effectively managing people-based security risks is a flawed analogy and very unfair to CISOs / CIOs.

The CFO has a very strong and extensive set of detailed legal and regulatory requirements which codify many years (centuries?) of experience countering bad actors both internal and external.  The solutions are well known and CFOs enjoy a very high success rate of preventing or quickly detecting problems.

The COO has an alphabet soup of groups (again, based on many years of experience) to provide detailed guidance on how to mandate "safe" working conditions and processes.  And the COO is very unlikely to worry about a single human crippling or even destroying the entire company.

The CISO/CIO has much weaker legal / regulatory support to handle a threat landscape which is still rapidly evolving.  And their worst nightmare is a single user who either willfully or accidentally causes a major problem - a breach or an outage.

Nor do the CFO and COO have to worry about a CEO who never ever says "No" to a developer.....
REISEN1955
0%
100%
REISEN1955,
User Rank: Ninja
3/1/2019 | 10:43:08 AM
Different category
This is argumentative if you place a user on the same platform as a security expert.  They are entirely different animals.  Some users, no matter how much education is thrown at them - and we need more of that - listen up Security experts - do NOT get it ever.  They won't.  Why?  A thousand reasons, most ignorant of the tech stuff and some just live that way.  Security experts know more than users of course but have a different realm of responsbility.  WE know not to click on an attached invoice - but put a whitelist or watchlist in front of us and we are on a different planet.  No - we are both either as weak or strong as we choose to be. 
<<   <   Page 2 / 2
SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  12/5/2019
Deliver a Deadly Counterpunch to Ransomware Attacks: 4 Steps
Mathew Newfield, Chief Information Security Officer at Unisys,  12/10/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19604
PUBLISHED: 2019-12-11
Arbitrary command execution is possible in Git before 2.20.2, 2.21.x before 2.21.1, 2.22.x before 2.22.2, 2.23.x before 2.23.1, and 2.24.x before 2.24.1 because a &quot;git submodule update&quot; operation can run commands found in the .gitmodules file of a malicious repository.
CVE-2019-14861
PUBLISHED: 2019-12-10
All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11.x before 4.11.3 have an issue, where the (poorly named) dnsserver RPC pipe provides administrative facilities to modify DNS records and zones. Samba, when acting as an AD DC, stores DNS records in LDAP. In AD, the default permiss...
CVE-2019-14870
PUBLISHED: 2019-12-10
All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11.x before 4.11.3 have an issue, where the S4U (MS-SFU) Kerberos delegation model includes a feature allowing for a subset of clients to be opted out of constrained delegation in any way, either S4U2Self or regular Kerberos authent...
CVE-2019-14889
PUBLISHED: 2019-12-10
A flaw was found with the libssh API function ssh_scp_new() in versions before 0.9.3 and before 0.8.8. When the libssh SCP client connects to a server, the scp command, which includes a user-provided path, is executed on the server-side. In case the library is used in a way where users can influence...
CVE-2019-1484
PUBLISHED: 2019-12-10
A remote code execution vulnerability exists when Microsoft Windows OLE fails to properly validate user input, aka 'Windows OLE Remote Code Execution Vulnerability'.