Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

11/19/2019
10:30 AM
Connect Directly
Twitter
RSS
E-Mail vvv
100%
0%

A Security Strategy That Centers on Humans, Not Bugs

The industry's fixation on complex exploits has come at the expense of making fundamentals easy and intuitive for end users.

Too often, the human element of security is ignored or overlooked. As Martijn Grooten has pointed out, humans are features, not bugs, in information security. It's past time we acknowledged this reality and focus on improved usability for technical solutions and better communication outside the security community. With this one-two punch, the Internet Society's Online Trust Alliance estimates, over 90% of compromises could be prevented.

Certainly, this is not a novel concept. In his Black Hat 2017 keynote, Alex Stamos called for greater empathy toward users, acknowledging the industry's fixation on complex exploits that has come at the expense of making the fundamentals easy and intuitive. While great research avenues have emerged and sophisticated advanced persistent threats (APTs) have been detected, the overemphasis on lower-probability, complex exploits comes at the expense of higher-probability, less-sophisticated tactics that are responsible for over 90% of data compromises.

The focus doesn't have to be one approach or the other, as equal attention on both research avenues could significantly affect security for the majority of the population. Researchers behind the 2019 Verizon "Data Breach Investigations Report" find most attacks could be classified as nuisance attacks, which means solutions exist to prevent them. For instance, by adding a recovery number to your Google account for two-factor authentication, researchers found they could block, "100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks."

If the fundamental technology solutions are well-known, why does digital literacy remain so low? This is where the human element — and especially usability and communications — has largely been ignored. For instance, despite the benefits of multifactor authentication (MFA), less than 10% of Gmail users enable it. Similarly, passwords remain a source of derision within the industry, as year-over-year default settings and poor password choices like "123456" and "password" continue to top the list, and have even been linked to high-profile breaches. This is why it is so essential to make the fundamentals, such as encryption, usable while also communicating their benefits.

In each case, there are usability and communication problems. According to a recent CyLab study, many survey respondents were not aware of password managers or found them hard to use. MFA suffers from similar usability problems, even though it is increasingly easy to use with limited delay. For the minority who do use MFA, those few seconds for authentication seem too long because they simply aren't aware of the security benefits from that short pause. The perceived security-convenience trade-off becomes especially confusing for users when they learn how some of these "best practices" can be circumvented by attackers. Why introduce inconvenience if the Charming Kitten cyber warfare group may bypass it?

The state of digital literacy is just another symptom of a broader problem. Security best practices generally fail the usability and user experience test, while the benefits and value of foundational security concepts remain underanalyzed or siloed within esoteric technical discussions.

Fortunately, it is not all doom and gloom. First, there is a growing awareness of the need for applied research on usable security. This targeted research can demonstrate the actual security benefits of proposed solutions and offer concrete value-added insights to encourage greater user adoption.

Next, there is similarly a data scarcity problem in information security research, hindering our ability to demonstrate (or reject) the benefits of various best practices. Securely sharing data and findings can help the community as a whole demonstrate the value-add. In addition, the growing emphasis on security by design can help relieve the burden on many users, if successful.

Finally, as beneficial as security conferences are, we need to break out of our own ecosystem and expand our footprint across different verticals as well as mainstream, consumer-focused forums. There are already positive signs that this momentum is growing, as security experts offer their expertise to schools, libraries, and senior centers as well as non-security tech events.

Improving the state of digital literacy should be a top priority for our industry. The security challenges aren't going to let up any time soon as the proliferation of attackers and their techniques continues unabated. There are also significant national security, economic security, and societal benefits that can be gained through both greater research and greater outreach.

It may not be as sexy as finding the next hot exploit or APT, and that research definitely must continue. But we need to find greater balance between research and outreach, targeting those usable solutions that can address the compromises and attack vectors that affect the majority of the population. As a community, we are uniquely situated to address this gap by making advances in digital literacy and usable solutions an industry imperative.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "How Medical Device Vendors Hold Healthcare Security for Ransom."

Dr. Andrea Little Limbago is the chief social scientist at Virtru, a data privacy and encryption software company, where she specializes in the intersection of technology, cybersecurity, and policy. She previously taught in academia before joining the Department of Defense, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Ransomware Damage Hit $11.5B in 2019
Dark Reading Staff 2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5524
PUBLISHED: 2020-02-21
Aterm series (Aterm WF1200C firmware Ver1.2.1 and earlier, Aterm WG1200CR firmware Ver1.2.1 and earlier, Aterm WG2600HS firmware Ver1.3.2 and earlier) allows an attacker on the same network segment to execute arbitrary OS commands with root privileges via UPnP function.
CVE-2020-5525
PUBLISHED: 2020-02-21
Aterm series (Aterm WF1200C firmware Ver1.2.1 and earlier, Aterm WG1200CR firmware Ver1.2.1 and earlier, Aterm WG2600HS firmware Ver1.3.2 and earlier) allows an authenticated attacker on the same network segment to execute arbitrary OS commands with root privileges via management screen.
CVE-2020-5533
PUBLISHED: 2020-02-21
Cross-site scripting vulnerability in Aterm WG2600HS firmware Ver1.3.2 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2020-5534
PUBLISHED: 2020-02-21
Aterm WG2600HS firmware Ver1.3.2 and earlier allows an authenticated attacker on the same network segment to execute arbitrary OS commands with root privileges via unspecified vectors.
CVE-2014-7914
PUBLISHED: 2020-02-21
btif/src/btif_dm.c in Android before 5.1 does not properly enforce the temporary nature of a Bluetooth pairing, which allows user-assisted remote attackers to bypass intended access restrictions via crafted Bluetooth packets after the tapping of a crafted NFC tag.