Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

11/19/2019
10:30 AM
Connect Directly
Twitter
RSS
E-Mail vvv
100%
0%

A Security Strategy That Centers on Humans, Not Bugs

The industry's fixation on complex exploits has come at the expense of making fundamentals easy and intuitive for end users.

Too often, the human element of security is ignored or overlooked. As Martijn Grooten has pointed out, humans are features, not bugs, in information security. It's past time we acknowledged this reality and focus on improved usability for technical solutions and better communication outside the security community. With this one-two punch, the Internet Society's Online Trust Alliance estimates, over 90% of compromises could be prevented.

Certainly, this is not a novel concept. In his Black Hat 2017 keynote, Alex Stamos called for greater empathy toward users, acknowledging the industry's fixation on complex exploits that has come at the expense of making the fundamentals easy and intuitive. While great research avenues have emerged and sophisticated advanced persistent threats (APTs) have been detected, the overemphasis on lower-probability, complex exploits comes at the expense of higher-probability, less-sophisticated tactics that are responsible for over 90% of data compromises.

The focus doesn't have to be one approach or the other, as equal attention on both research avenues could significantly affect security for the majority of the population. Researchers behind the 2019 Verizon "Data Breach Investigations Report" find most attacks could be classified as nuisance attacks, which means solutions exist to prevent them. For instance, by adding a recovery number to your Google account for two-factor authentication, researchers found they could block, "100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks."

If the fundamental technology solutions are well-known, why does digital literacy remain so low? This is where the human element — and especially usability and communications — has largely been ignored. For instance, despite the benefits of multifactor authentication (MFA), less than 10% of Gmail users enable it. Similarly, passwords remain a source of derision within the industry, as year-over-year default settings and poor password choices like "123456" and "password" continue to top the list, and have even been linked to high-profile breaches. This is why it is so essential to make the fundamentals, such as encryption, usable while also communicating their benefits.

In each case, there are usability and communication problems. According to a recent CyLab study, many survey respondents were not aware of password managers or found them hard to use. MFA suffers from similar usability problems, even though it is increasingly easy to use with limited delay. For the minority who do use MFA, those few seconds for authentication seem too long because they simply aren't aware of the security benefits from that short pause. The perceived security-convenience trade-off becomes especially confusing for users when they learn how some of these "best practices" can be circumvented by attackers. Why introduce inconvenience if the Charming Kitten cyber warfare group may bypass it?

The state of digital literacy is just another symptom of a broader problem. Security best practices generally fail the usability and user experience test, while the benefits and value of foundational security concepts remain underanalyzed or siloed within esoteric technical discussions.

Fortunately, it is not all doom and gloom. First, there is a growing awareness of the need for applied research on usable security. This targeted research can demonstrate the actual security benefits of proposed solutions and offer concrete value-added insights to encourage greater user adoption.

Next, there is similarly a data scarcity problem in information security research, hindering our ability to demonstrate (or reject) the benefits of various best practices. Securely sharing data and findings can help the community as a whole demonstrate the value-add. In addition, the growing emphasis on security by design can help relieve the burden on many users, if successful.

Finally, as beneficial as security conferences are, we need to break out of our own ecosystem and expand our footprint across different verticals as well as mainstream, consumer-focused forums. There are already positive signs that this momentum is growing, as security experts offer their expertise to schools, libraries, and senior centers as well as non-security tech events.

Improving the state of digital literacy should be a top priority for our industry. The security challenges aren't going to let up any time soon as the proliferation of attackers and their techniques continues unabated. There are also significant national security, economic security, and societal benefits that can be gained through both greater research and greater outreach.

It may not be as sexy as finding the next hot exploit or APT, and that research definitely must continue. But we need to find greater balance between research and outreach, targeting those usable solutions that can address the compromises and attack vectors that affect the majority of the population. As a community, we are uniquely situated to address this gap by making advances in digital literacy and usable solutions an industry imperative.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "How Medical Device Vendors Hold Healthcare Security for Ransom."

Dr. Andrea Little Limbago is the chief social scientist at Virtru, a data privacy and encryption software company, where she specializes in the intersection of technology, cybersecurity, and policy. She previously taught in academia before joining the Department of Defense, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19642
PUBLISHED: 2019-12-08
On SuperMicro X8STi-F motherboards with IPMI firmware 2.06 and BIOS 02.68, the Virtual Media feature allows OS Command Injection by authenticated attackers who can send HTTP requests to the IPMI IP address. This requires a POST to /rpc/setvmdrive.asp with shell metacharacters in ShareHost or ShareNa...
CVE-2019-19637
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is an integer overflow in the function sixel_decode_raw_impl at fromsixel.c.
CVE-2019-19638
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is a heap-based buffer overflow in the function load_pnm at frompnm.c, due to an integer overflow.
CVE-2019-19635
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is a heap-based buffer overflow in the function sixel_decode_raw_impl at fromsixel.c.
CVE-2019-19636
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is an integer overflow in the function sixel_encode_body at tosixel.c.