Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

11/19/2019
10:30 AM
Connect Directly
Twitter
RSS
E-Mail vvv
100%
0%

A Security Strategy That Centers on Humans, Not Bugs

The industry's fixation on complex exploits has come at the expense of making fundamentals easy and intuitive for end users.

Too often, the human element of security is ignored or overlooked. As Martijn Grooten has pointed out, humans are features, not bugs, in information security. It's past time we acknowledged this reality and focus on improved usability for technical solutions and better communication outside the security community. With this one-two punch, the Internet Society's Online Trust Alliance estimates, over 90% of compromises could be prevented.

Certainly, this is not a novel concept. In his Black Hat 2017 keynote, Alex Stamos called for greater empathy toward users, acknowledging the industry's fixation on complex exploits that has come at the expense of making the fundamentals easy and intuitive. While great research avenues have emerged and sophisticated advanced persistent threats (APTs) have been detected, the overemphasis on lower-probability, complex exploits comes at the expense of higher-probability, less-sophisticated tactics that are responsible for over 90% of data compromises.

The focus doesn't have to be one approach or the other, as equal attention on both research avenues could significantly affect security for the majority of the population. Researchers behind the 2019 Verizon "Data Breach Investigations Report" find most attacks could be classified as nuisance attacks, which means solutions exist to prevent them. For instance, by adding a recovery number to your Google account for two-factor authentication, researchers found they could block, "100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks."

If the fundamental technology solutions are well-known, why does digital literacy remain so low? This is where the human element — and especially usability and communications — has largely been ignored. For instance, despite the benefits of multifactor authentication (MFA), less than 10% of Gmail users enable it. Similarly, passwords remain a source of derision within the industry, as year-over-year default settings and poor password choices like "123456" and "password" continue to top the list, and have even been linked to high-profile breaches. This is why it is so essential to make the fundamentals, such as encryption, usable while also communicating their benefits.

In each case, there are usability and communication problems. According to a recent CyLab study, many survey respondents were not aware of password managers or found them hard to use. MFA suffers from similar usability problems, even though it is increasingly easy to use with limited delay. For the minority who do use MFA, those few seconds for authentication seem too long because they simply aren't aware of the security benefits from that short pause. The perceived security-convenience trade-off becomes especially confusing for users when they learn how some of these "best practices" can be circumvented by attackers. Why introduce inconvenience if the Charming Kitten cyber warfare group may bypass it?

The state of digital literacy is just another symptom of a broader problem. Security best practices generally fail the usability and user experience test, while the benefits and value of foundational security concepts remain underanalyzed or siloed within esoteric technical discussions.

Fortunately, it is not all doom and gloom. First, there is a growing awareness of the need for applied research on usable security. This targeted research can demonstrate the actual security benefits of proposed solutions and offer concrete value-added insights to encourage greater user adoption.

Next, there is similarly a data scarcity problem in information security research, hindering our ability to demonstrate (or reject) the benefits of various best practices. Securely sharing data and findings can help the community as a whole demonstrate the value-add. In addition, the growing emphasis on security by design can help relieve the burden on many users, if successful.

Finally, as beneficial as security conferences are, we need to break out of our own ecosystem and expand our footprint across different verticals as well as mainstream, consumer-focused forums. There are already positive signs that this momentum is growing, as security experts offer their expertise to schools, libraries, and senior centers as well as non-security tech events.

Improving the state of digital literacy should be a top priority for our industry. The security challenges aren't going to let up any time soon as the proliferation of attackers and their techniques continues unabated. There are also significant national security, economic security, and societal benefits that can be gained through both greater research and greater outreach.

It may not be as sexy as finding the next hot exploit or APT, and that research definitely must continue. But we need to find greater balance between research and outreach, targeting those usable solutions that can address the compromises and attack vectors that affect the majority of the population. As a community, we are uniquely situated to address this gap by making advances in digital literacy and usable solutions an industry imperative.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "How Medical Device Vendors Hold Healthcare Security for Ransom."

Dr. Andrea Little Limbago is the chief social scientist at Virtru, a data privacy and encryption software company, where she specializes in the intersection of technology, cybersecurity, and policy. She previously taught in academia before joining the Department of Defense, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 4/7/2020
The Coronavirus & Cybersecurity: 3 Areas of Exploitation
Robert R. Ackerman Jr., Founder & Managing Director, Allegis Capital,  4/7/2020
'Unkillable' Android Malware App Continues to Infect Devices Worldwide
Jai Vijayan, Contributing Writer,  4/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-1633
PUBLISHED: 2020-04-09
Due to a new NDP proxy feature for EVPN leaf nodes introduced in Junos OS 17.4, crafted NDPv6 packets could transit a Junos device configured as a Broadband Network Gateway (BNG) and reach the EVPN leaf node, causing a stale MAC address entry. This could cause legitimate traffic to be discarded, le...
CVE-2020-8834
PUBLISHED: 2020-04-09
KVM in the Linux kernel on Power8 processors has a conflicting use of HSTATE_HOST_R1 to store r1 state in kvmppc_hv_entry plus in kvmppc__tm, leading to a stack corruption. Because of this, an attacker with the ability run code in kernel space of a guest VM can cause the host kernel to...
CVE-2020-11668
PUBLISHED: 2020-04-09
In the Linux kernel before 5.6.1, drivers/media/usb/gspca/xirlink_cit.c (aka the Xirlink camera USB driver) mishandles invalid descriptors, aka CID-a246b4d54770.
CVE-2020-8961
PUBLISHED: 2020-04-09
An issue was discovered in Avira Free-Antivirus before 15.0.2004.1825. The Self-Protection feature does not prohibit a write operation from an external process. Thus, code injection can be used to turn off this feature. After that, one can construct an event that will modify a file at a specific loc...
CVE-2020-7922
PUBLISHED: 2020-04-09
X.509 certificates generated by the MongoDB Enterprise Kubernetes Operator may allow an attacker with access to the Kubernetes cluster improper access to MongoDB instances. Customers who do not use X.509 authentication, and those who do not use the Operator to generate their X.509 certificates are u...