Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

6/18/2015
11:00 AM
Theresa Payton
Theresa Payton
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
Google+
RSS
E-Mail vvv
100%
0%

Cybersecurity Advice From A Former White House CIO

Today's playbook demands 'human-centered' user education that assumes people will share passwords, forget them, and do unsafe things to get their jobs done.

I remember the exact moment when I changed how I design a security strategy to conform to the new reality of the modern threat landscape. It was my first day on the job as Chief Information Officer in the George W. Bush White House in 2006. Our office knew we had to appeal to the hearts and minds of the White House staff if we wanted to protect their privacy and security; if solving cybersecurity and privacy issues were as simple as following security best practices, we would all be safe.

Two key questions came to me during my first 90 days at the White House.  I had to answer them or we would have had a major calamity: Why, in spite of talented security teams and security investments, do breaches still happen? Why is it that despite hours and hours of boring computer-based training and security campaigns, we still make mistakes and click on links?

Apply these same questions to industry means taking incremental steps and viewing the problem of user education not as a technical or economic issue but as a human psyche issue. To make evolutionary change in cybersecurity we need to teach cybersecurity professionals to take human behaviors into account when developing cybersecurity strategies, then to incorporate that knowledge into the design and implementation of information systems, including the right incentives for positive behaviors.

The way we design security today, we have zero empathy.  What that means is that we need to design all applications to assume that users will do everything wrong. According to the cybersecurity playbook, people will share passwords, people will forget them, and they will do unsafe things to get their jobs done, such as use free, unsecure WiFi. Haven’t you?

Today, the banking industry is leading the way with this kind of human-centered design and asking systems to conform to the human -- and not the other way around. For starters, many banks will use your social security number to check your credit, but not as your customer identifier. If a hacker breaks in and steals your data, on many of the back-office banking systems, they will not steal your social security number. The banks have implemented online banking programs that assume that your device is infected, and have put into place free software that will help protect your computer while at the same time assist in providing a more secure transaction. 

Many of the banks led the way with authentication strategies. This became another added step on top of your user ID and password to provide you with better confidence. They may look at your computer's unique device ID. Or they may allow you to set up random security questions and answers. In some cases, they will text a code to your mobile phone. All of these are simple to use while adding another deterrent to cybercriminals.

We used a similar strategy at the White House. We knew breaches and incidents were inevitable, but we thought our best strategy was to segment data to save it. Instead of storing something -- such as the President's schedule -- in one place, we would segment the ownership across multiple teams, multiple systems, and disconnected networks. This practice requires a high level collaboration and finely tuned synchronization but the risk vs. reward is worth it. 

We also realized that the staff at the White House was busy and if we expected them to be security experts they could not focus on their job and we would fail at ours. That is why we focused on designing for the human. We assumed that long briefings and boring computer-based training programs were ineffective, and redesigned them to focus on key points to get better results. One example was to shorten our smartphone briefing to two key points: report your missing smartphone immediately so we could locate it, and tell us if you are going on foreign travel for fun or for White House business so we could provide safe and effective communications overseas. We provided that briefing accompanied with a fun package that had the smartphone, accessories, and White House branded items to make the session memorable and fun.

At the end of the day, if we keep the same security mindset, keep implementing the same security protocols, and institute them with more money at a faster rate, we are doomed to failure. It’s time to break the rules and try a different approach.  

In the wake of recent, debilitating cyber-attacks, Theresa Payton remains the cybersecurity expert companies turn to regarding efforts to strengthen cybersecurity measures. Named one of the top 25 Most Influential People in Security by Security Magazine, she is one of ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyonKnight
50%
50%
RyonKnight,
User Rank: Strategist
6/30/2015 | 4:17:09 AM
Re: Segemented data
Thanks for your reply Theresa.  I totally agree that this could be a sensible measure for a couple of critical assets.  I could see using it for private keys or highly sensitive proprietary information.  Still can't see a practical way of making it work for something that's going to be frequently accessed by a variety of users, like a schedule.  I'm not sure if you can give any more specifics due to the nature of the job and what you were protecting, but kudos for making it work.

Thanks again for the article and taking the time to reply.
JohnL228
50%
50%
JohnL228,
User Rank: Apprentice
6/29/2015 | 2:35:10 PM
Great Post Recognizing the Human
 I really like your premise of human factor failings in this post. This harkens back the human-centric design of Alan Cooper's "The Inmates are Running the Asylum." He used the creation of "personas" to help humanize the likely users in the design of software or other products. I suspect that a similar profiling will help to develop more elegant cybersecurity policies that anticipate the most likely human failings.  

 

theresap282
100%
0%
theresap282,
User Rank: Author
6/24/2015 | 9:40:15 AM
Re: Segemented data
Hi Ryon, thanks for asking your question!  In my humble opinion, you would do both.  Because safety measures for data such as encryption or two factor authentication are not 100% bullet proof solutions, you want to make sure you segment your data.  When that breach happens, they can only steal one piece and you slow them down from taking more of your information.  This is hard to do which is why I only recommend this for 1-2 of your most critical information assets.  Hope this a helpful explanation.  
RyonKnight
50%
50%
RyonKnight,
User Rank: Strategist
6/23/2015 | 7:43:45 AM
Segemented data
I'm unclear on what you're trying to get at with segmenting data like the President's schedule.  What is the benefit of having it segmented across multiple teams or systems?  How does this work in practice?  As you note, the amount of effort and synchronisation would be high.  There are lots of easier ways to secure data and restrict access than segmenting it all over the place.  You cite this as a "similar strategy" to how banks use 2 factor authentication, but this sounds like something quite different.  Grateful if you can clarify, thanks for the article.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25596
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. x86 PV guest kernels can experience denial of service via SYSENTER. The SYSENTER instruction leaves various state sanitization activities to software. One of Xen's sanitization paths injects a #GP fault, and incorrectly delivers it twice to the guest. T...
CVE-2020-25597
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. There is mishandling of the constraint that once-valid event channels may not turn invalid. Logic in the handling of event channel operations in Xen assumes that an event channel, once valid, will not become invalid over the life time of a guest. Howeve...
CVE-2020-25598
PUBLISHED: 2020-09-23
An issue was discovered in Xen 4.14.x. There is a missing unlock in the XENMEM_acquire_resource error path. The RCU (Read, Copy, Update) mechanism is a synchronisation primitive. A buggy error path in the XENMEM_acquire_resource exits without releasing an RCU reference, which is conceptually similar...
CVE-2020-25599
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. There are evtchn_reset() race conditions. Uses of EVTCHNOP_reset (potentially by a guest on itself) or XEN_DOMCTL_soft_reset (by itself covered by XSA-77) can lead to the violation of various internal assumptions. This may lead to out of bounds memory a...
CVE-2020-25600
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. Out of bounds event channels are available to 32-bit x86 domains. The so called 2-level event channel model imposes different limits on the number of usable event channels for 32-bit x86 domains vs 64-bit or Arm (either bitness) ones. 32-bit x86 domains...