Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

6/18/2015
11:00 AM
Theresa Payton
Theresa Payton
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
Google+
RSS
E-Mail vvv
100%
0%

Cybersecurity Advice From A Former White House CIO

Today's playbook demands 'human-centered' user education that assumes people will share passwords, forget them, and do unsafe things to get their jobs done.

I remember the exact moment when I changed how I design a security strategy to conform to the new reality of the modern threat landscape. It was my first day on the job as Chief Information Officer in the George W. Bush White House in 2006. Our office knew we had to appeal to the hearts and minds of the White House staff if we wanted to protect their privacy and security; if solving cybersecurity and privacy issues were as simple as following security best practices, we would all be safe.

Two key questions came to me during my first 90 days at the White House.  I had to answer them or we would have had a major calamity: Why, in spite of talented security teams and security investments, do breaches still happen? Why is it that despite hours and hours of boring computer-based training and security campaigns, we still make mistakes and click on links?

Apply these same questions to industry means taking incremental steps and viewing the problem of user education not as a technical or economic issue but as a human psyche issue. To make evolutionary change in cybersecurity we need to teach cybersecurity professionals to take human behaviors into account when developing cybersecurity strategies, then to incorporate that knowledge into the design and implementation of information systems, including the right incentives for positive behaviors.

The way we design security today, we have zero empathy.  What that means is that we need to design all applications to assume that users will do everything wrong. According to the cybersecurity playbook, people will share passwords, people will forget them, and they will do unsafe things to get their jobs done, such as use free, unsecure WiFi. Haven’t you?

Today, the banking industry is leading the way with this kind of human-centered design and asking systems to conform to the human -- and not the other way around. For starters, many banks will use your social security number to check your credit, but not as your customer identifier. If a hacker breaks in and steals your data, on many of the back-office banking systems, they will not steal your social security number. The banks have implemented online banking programs that assume that your device is infected, and have put into place free software that will help protect your computer while at the same time assist in providing a more secure transaction. 

Many of the banks led the way with authentication strategies. This became another added step on top of your user ID and password to provide you with better confidence. They may look at your computer's unique device ID. Or they may allow you to set up random security questions and answers. In some cases, they will text a code to your mobile phone. All of these are simple to use while adding another deterrent to cybercriminals.

We used a similar strategy at the White House. We knew breaches and incidents were inevitable, but we thought our best strategy was to segment data to save it. Instead of storing something -- such as the President's schedule -- in one place, we would segment the ownership across multiple teams, multiple systems, and disconnected networks. This practice requires a high level collaboration and finely tuned synchronization but the risk vs. reward is worth it. 

We also realized that the staff at the White House was busy and if we expected them to be security experts they could not focus on their job and we would fail at ours. That is why we focused on designing for the human. We assumed that long briefings and boring computer-based training programs were ineffective, and redesigned them to focus on key points to get better results. One example was to shorten our smartphone briefing to two key points: report your missing smartphone immediately so we could locate it, and tell us if you are going on foreign travel for fun or for White House business so we could provide safe and effective communications overseas. We provided that briefing accompanied with a fun package that had the smartphone, accessories, and White House branded items to make the session memorable and fun.

At the end of the day, if we keep the same security mindset, keep implementing the same security protocols, and institute them with more money at a faster rate, we are doomed to failure. It’s time to break the rules and try a different approach.  

In the wake of recent, debilitating cyber-attacks, Theresa Payton remains the cybersecurity expert companies turn to regarding efforts to strengthen cybersecurity measures. Named one of the top 25 Most Influential People in Security by Security Magazine, she is one of ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyonKnight
50%
50%
RyonKnight,
User Rank: Strategist
6/30/2015 | 4:17:09 AM
Re: Segemented data
Thanks for your reply Theresa.  I totally agree that this could be a sensible measure for a couple of critical assets.  I could see using it for private keys or highly sensitive proprietary information.  Still can't see a practical way of making it work for something that's going to be frequently accessed by a variety of users, like a schedule.  I'm not sure if you can give any more specifics due to the nature of the job and what you were protecting, but kudos for making it work.

Thanks again for the article and taking the time to reply.
JohnL228
50%
50%
JohnL228,
User Rank: Apprentice
6/29/2015 | 2:35:10 PM
Great Post Recognizing the Human
 I really like your premise of human factor failings in this post. This harkens back the human-centric design of Alan Cooper's "The Inmates are Running the Asylum." He used the creation of "personas" to help humanize the likely users in the design of software or other products. I suspect that a similar profiling will help to develop more elegant cybersecurity policies that anticipate the most likely human failings.  

 

theresap282
100%
0%
theresap282,
User Rank: Author
6/24/2015 | 9:40:15 AM
Re: Segemented data
Hi Ryon, thanks for asking your question!  In my humble opinion, you would do both.  Because safety measures for data such as encryption or two factor authentication are not 100% bullet proof solutions, you want to make sure you segment your data.  When that breach happens, they can only steal one piece and you slow them down from taking more of your information.  This is hard to do which is why I only recommend this for 1-2 of your most critical information assets.  Hope this a helpful explanation.  
RyonKnight
50%
50%
RyonKnight,
User Rank: Strategist
6/23/2015 | 7:43:45 AM
Segemented data
I'm unclear on what you're trying to get at with segmenting data like the President's schedule.  What is the benefit of having it segmented across multiple teams or systems?  How does this work in practice?  As you note, the amount of effort and synchronisation would be high.  There are lots of easier ways to secure data and restrict access than segmenting it all over the place.  You cite this as a "similar strategy" to how banks use 2 factor authentication, but this sounds like something quite different.  Grateful if you can clarify, thanks for the article.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Can you smell me now?
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11844
PUBLISHED: 2020-05-29
There is an Incorrect Authorization vulnerability in Micro Focus Service Management Automation (SMA) product affecting version 2018.05 to 2020.02. The vulnerability could be exploited to provide unauthorized access to the Container Deployment Foundation.
CVE-2020-6937
PUBLISHED: 2020-05-29
A Denial of Service vulnerability in MuleSoft Mule CE/EE 3.8.x, 3.9.x, and 4.x released before April 7, 2020, could allow remote attackers to submit data which can lead to resource exhaustion.
CVE-2020-7648
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.72.2 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users who have access to Snyk's internal network by appending the URL with a fragment identifier and a whitelisted path e.g. `#package.json`
CVE-2020-7650
PUBLISHED: 2020-05-29
All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk's internal network of any files ending in the following extensions: yaml, yml or json.
CVE-2020-7654
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.73.1 are vulnerable to Information Exposure. It logs private keys if logging level is set to DEBUG.