Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Security Experts, Not Users, Are the Weakest Link
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
3/5/2019 | 3:41:41 PM
Re: Who is at fault?
Secure password - use a SHA256 hash - easy to find if you have the noted file on another computer - extremely good security but hell to work with.  Supercalifragileisticexpealidocious also works with alternative charactter approach as does it backwards. 
Luna Tsee
50%
50%
Luna Tsee,
User Rank: Apprentice
3/4/2019 | 2:21:10 PM
Who is at fault?

The analogy may not be perfect but it does make a valid point. Largely the issue of security is not one of blame, though there is some.

The point is simply the people responsible for security are patching holes in a bad design. Remote user identity is a problem. And until the password as the primary identity method is replaced with a better one, the problem will remain.

Enforcing security tools like 2FA, 2SA, Recapta, long and cryptic passwords and other requirements is making the user responsible for securing the system. Thus users must expend extra efforts and conform to content producers' requirements (dongles, RSA keys, smartcards, Upper case, lower case, special symbols, at least 13 characters, but no space, or non keyboard symbols) to conduct Internet intercourse makes the user "Prove Who They Are'. That's because the systems are not yet sophisticated enough to tell a human from a machine the real you from a 'clone'.

We have driver's licenses, passports, Charge Cards. None of these places such an extrordinary level of participation in identity.

It should not be the user's responsibility to secure the systems they interact with.

That's the problem. We can argue -Who's to blame: the User or CISO? all day but that doesn't solve the problem.

Luna Tsee
50%
50%
Luna Tsee,
User Rank: Apprentice
3/4/2019 | 2:15:19 PM
Who is at fault?

The analogy may not be perfect but it does make a valid point. Largely the issue of security is not one of blame, though there is some.

The point is simply the people responsible for security are patching holes in a bad design. Remote user identity is a problem. And until the password as the primary identity method is replaced with a better one, the problem will remain.

Enforcing security tools like 2FA, 2SA, Recapta, long and cryptic passwords and other requirements is making the user responsible for securing the system. Thus users must expend extra efforts and conform to content producers' requirements (dongles, RSA keys, smartcards, Upper case, lower case, special symbols, at least 13 characters, but no space, or non keyboard symbols) to conduct Internet intercourse makes the user "Prove Who They Are'. That's because the systems are not yet sophisticated enough to tell a human from a machine the real you from a 'clone'.

We have driver's licenses, passports, Charge Cards. None of these places such an extrordinary level of participation in identity.

It should not be the user's responsibility to secure the systems they interact with.

That's the problem. We can argue -Who's to blame: the User or CISO? all day but that doesn't solve the problem.

REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
3/4/2019 | 10:47:23 AM
Re: Must be a user!!!
i deleted my secondary comment as it was unfair but i am with a major firm in a malware forensics unit and deal with users all day long.  My real feeling is that to compare and lump users in with security pro is an unfair mirror.  Both have issues but entirely different.  i do wish that security pros would be allowed or advocated by the C-Suite to educate users more than they do. 
BradleyRoss
100%
0%
BradleyRoss,
User Rank: Moderator
3/3/2019 | 8:10:23 PM
Water is Wet
If security management management is saying that they can't provide security as long as somebody on the system might open a phishing email, they should be fired and the ashes distributed as a warning to future management.  Part of the idea of least privilege, two man rules, and other similar techniques is to limit the ability of a single action by a user to compromise the system.  There should also be limits on what users can access from outside a controlled environment.

If you manage a computer system, you have to assume that two or three of the software tools are completely compromised, and you don't know which xomponents are damaged.  It's called eliminating single point of failure vulnerabilities and identifying sections of fault trees where two or three problems can xause a disaster.  Look at the design methoss for nuclear reactors, aircxraft, automobiles, and the handling of toxic materials.

Security is expensive

Security is not convenient

Security requires you to think and understand

Live with it or it will kill you
BradleyRoss
50%
50%
BradleyRoss,
User Rank: Moderator
3/3/2019 | 7:55:47 PM
water is wet
If security management management is saying that they can't provide security as long as somebody on the system might open a phishing email, they should be fired and the ashes distributed as a warning to future management. Part of the idea of least privilege, two man rules, and other similar techniques is to limit the ability of a single action by a user to compromise the system. There should also be limits on what users can access from outside a controlled environment.

If you manage a computer system, you have to assume that two or three of the software tools are completely compromised, and you don't know which components are damaged. It's called eliminating single point of failure vulnerabilities, and identifying sections of fault trees where two or three problems can cause a disaster. Look at the design methods for nuclear reactors, aircraft, automobiles, and the handling of toxic materials.

Security is expensive

Security is not convenient

Security requires you to think

Live with it or it will kill you 
jeffmaley
50%
50%
jeffmaley,
User Rank: Strategist
3/1/2019 | 1:45:33 PM
This column is flawed.
Users are absolutely the weakest link. You say that any COO or CFO that said that would be fired, but what we're seeing is a consistent trend towardsa automation, removing the user. Everyone agrees that people are flawed and the things they do are flawed. Pretending that's not the case is ignoring the obvious data to the contrary and waving away a valid problem. 

Your proposed solution is literally every mature information security management system. You've put forth nothing new or innovative and are instead rehashing old ideas, ideas that are tried and true but could certainly be improved. I agree that awareness programs do not go far enough, but the solution isn't to give up, the solution is to make them better. Instead of awareness programs, we should be using evangelical programs. To reach the user community, we need to do a better job of encouraging, educating, and making them cognizant of their involvement in the process. If we're excited about security, we can help them be excited about security, too.
J3R3
100%
0%
J3R3,
User Rank: Apprentice
3/1/2019 | 1:23:17 PM
Flawed Analogy
If CFO's and COO's did not view users as the weak link in accounting and operations processes then there would not need to be consequences for users failing to follow the appropriate processes. There would also not need to be separation of duties, or cross training, or mandatory vacations. We could completely do away with audit departments and all of those government oversight positions would not exist. We have all of these things because CFO's and COO's have always known that users are the weakest link and these are the detective and preventative controls that have been created to reduce the risk inherent with having humans as employees. 

Mr. Winkler seems to be misunderstanding the meaning of "users are the weakest link."
paul.dittrich
0%
100%
paul.dittrich,
User Rank: Strategist
3/1/2019 | 12:39:52 PM
Re: A badly-flawed analogy
Please see paragraph 4 of the original column.  Both CFO and COO are used as examples.
Thor7077
67%
33%
Thor7077,
User Rank: Apprentice
3/1/2019 | 12:15:04 PM
Must be a user
This sounds like a user with a bad experience blaming all the cyber security experts around them. It's like a patient upset their doctor isnt specialized to treat every problem they have just because they are a 'doctor'. As you have foot doctors, you don't call them a bad doctor because they don't know how to perform heart surgery. Cyber folks aren't your one size fits all fix either, they have their strengths/specializations in some areas that just can't fix the whole entire architectures problems. This article was nothing more than a finger to point
Page 1 / 2   >   >>


Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18214
PUBLISHED: 2019-10-19
The Video_Converter app 0.1.0 for Nextcloud allows denial of service (CPU and memory consumption) via multiple concurrent conversions because many FFmpeg processes may be running at once. (The workload is not queued for serial execution.)
CVE-2019-18202
PUBLISHED: 2019-10-19
Information Disclosure is possible on WAGO Series PFC100 and PFC200 devices before FW12 due to improper access control. A remote attacker can check for the existence of paths and file names via crafted HTTP requests.
CVE-2019-18209
PUBLISHED: 2019-10-19
templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser does not encode the path of the URL, as demonstrated by Internet Explorer.
CVE-2019-18198
PUBLISHED: 2019-10-18
In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.
CVE-2019-18197
PUBLISHED: 2019-10-18
In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclo...