Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Security Experts, Not Users, Are the Weakest Link
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
3/5/2019 | 3:41:41 PM
Re: Who is at fault?
Secure password - use a SHA256 hash - easy to find if you have the noted file on another computer - extremely good security but hell to work with.  Supercalifragileisticexpealidocious also works with alternative charactter approach as does it backwards. 
Luna Tsee
50%
50%
Luna Tsee,
User Rank: Apprentice
3/4/2019 | 2:21:10 PM
Who is at fault?

The analogy may not be perfect but it does make a valid point. Largely the issue of security is not one of blame, though there is some.

The point is simply the people responsible for security are patching holes in a bad design. Remote user identity is a problem. And until the password as the primary identity method is replaced with a better one, the problem will remain.

Enforcing security tools like 2FA, 2SA, Recapta, long and cryptic passwords and other requirements is making the user responsible for securing the system. Thus users must expend extra efforts and conform to content producers' requirements (dongles, RSA keys, smartcards, Upper case, lower case, special symbols, at least 13 characters, but no space, or non keyboard symbols) to conduct Internet intercourse makes the user "Prove Who They Are'. That's because the systems are not yet sophisticated enough to tell a human from a machine the real you from a 'clone'.

We have driver's licenses, passports, Charge Cards. None of these places such an extrordinary level of participation in identity.

It should not be the user's responsibility to secure the systems they interact with.

That's the problem. We can argue -Who's to blame: the User or CISO? all day but that doesn't solve the problem.

Luna Tsee
50%
50%
Luna Tsee,
User Rank: Apprentice
3/4/2019 | 2:15:19 PM
Who is at fault?

The analogy may not be perfect but it does make a valid point. Largely the issue of security is not one of blame, though there is some.

The point is simply the people responsible for security are patching holes in a bad design. Remote user identity is a problem. And until the password as the primary identity method is replaced with a better one, the problem will remain.

Enforcing security tools like 2FA, 2SA, Recapta, long and cryptic passwords and other requirements is making the user responsible for securing the system. Thus users must expend extra efforts and conform to content producers' requirements (dongles, RSA keys, smartcards, Upper case, lower case, special symbols, at least 13 characters, but no space, or non keyboard symbols) to conduct Internet intercourse makes the user "Prove Who They Are'. That's because the systems are not yet sophisticated enough to tell a human from a machine the real you from a 'clone'.

We have driver's licenses, passports, Charge Cards. None of these places such an extrordinary level of participation in identity.

It should not be the user's responsibility to secure the systems they interact with.

That's the problem. We can argue -Who's to blame: the User or CISO? all day but that doesn't solve the problem.

REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
3/4/2019 | 10:47:23 AM
Re: Must be a user!!!
i deleted my secondary comment as it was unfair but i am with a major firm in a malware forensics unit and deal with users all day long.  My real feeling is that to compare and lump users in with security pro is an unfair mirror.  Both have issues but entirely different.  i do wish that security pros would be allowed or advocated by the C-Suite to educate users more than they do. 
BradleyRoss
100%
0%
BradleyRoss,
User Rank: Moderator
3/3/2019 | 8:10:23 PM
Water is Wet
If security management management is saying that they can't provide security as long as somebody on the system might open a phishing email, they should be fired and the ashes distributed as a warning to future management.  Part of the idea of least privilege, two man rules, and other similar techniques is to limit the ability of a single action by a user to compromise the system.  There should also be limits on what users can access from outside a controlled environment.

If you manage a computer system, you have to assume that two or three of the software tools are completely compromised, and you don't know which xomponents are damaged.  It's called eliminating single point of failure vulnerabilities and identifying sections of fault trees where two or three problems can xause a disaster.  Look at the design methoss for nuclear reactors, aircxraft, automobiles, and the handling of toxic materials.

Security is expensive

Security is not convenient

Security requires you to think and understand

Live with it or it will kill you
BradleyRoss
50%
50%
BradleyRoss,
User Rank: Moderator
3/3/2019 | 7:55:47 PM
water is wet
If security management management is saying that they can't provide security as long as somebody on the system might open a phishing email, they should be fired and the ashes distributed as a warning to future management. Part of the idea of least privilege, two man rules, and other similar techniques is to limit the ability of a single action by a user to compromise the system. There should also be limits on what users can access from outside a controlled environment.

If you manage a computer system, you have to assume that two or three of the software tools are completely compromised, and you don't know which components are damaged. It's called eliminating single point of failure vulnerabilities, and identifying sections of fault trees where two or three problems can cause a disaster. Look at the design methods for nuclear reactors, aircraft, automobiles, and the handling of toxic materials.

Security is expensive

Security is not convenient

Security requires you to think

Live with it or it will kill you 
jeffmaley
50%
50%
jeffmaley,
User Rank: Strategist
3/1/2019 | 1:45:33 PM
This column is flawed.
Users are absolutely the weakest link. You say that any COO or CFO that said that would be fired, but what we're seeing is a consistent trend towardsa automation, removing the user. Everyone agrees that people are flawed and the things they do are flawed. Pretending that's not the case is ignoring the obvious data to the contrary and waving away a valid problem. 

Your proposed solution is literally every mature information security management system. You've put forth nothing new or innovative and are instead rehashing old ideas, ideas that are tried and true but could certainly be improved. I agree that awareness programs do not go far enough, but the solution isn't to give up, the solution is to make them better. Instead of awareness programs, we should be using evangelical programs. To reach the user community, we need to do a better job of encouraging, educating, and making them cognizant of their involvement in the process. If we're excited about security, we can help them be excited about security, too.
J3R3
100%
0%
J3R3,
User Rank: Apprentice
3/1/2019 | 1:23:17 PM
Flawed Analogy
If CFO's and COO's did not view users as the weak link in accounting and operations processes then there would not need to be consequences for users failing to follow the appropriate processes. There would also not need to be separation of duties, or cross training, or mandatory vacations. We could completely do away with audit departments and all of those government oversight positions would not exist. We have all of these things because CFO's and COO's have always known that users are the weakest link and these are the detective and preventative controls that have been created to reduce the risk inherent with having humans as employees. 

Mr. Winkler seems to be misunderstanding the meaning of "users are the weakest link."
paul.dittrich
0%
100%
paul.dittrich,
User Rank: Strategist
3/1/2019 | 12:39:52 PM
Re: A badly-flawed analogy
Please see paragraph 4 of the original column.  Both CFO and COO are used as examples.
Thor7077
67%
33%
Thor7077,
User Rank: Apprentice
3/1/2019 | 12:15:04 PM
Must be a user
This sounds like a user with a bad experience blaming all the cyber security experts around them. It's like a patient upset their doctor isnt specialized to treat every problem they have just because they are a 'doctor'. As you have foot doctors, you don't call them a bad doctor because they don't know how to perform heart surgery. Cyber folks aren't your one size fits all fix either, they have their strengths/specializations in some areas that just can't fix the whole entire architectures problems. This article was nothing more than a finger to point
Page 1 / 2   >   >>


Commentary
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
News
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
News
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: George has not accepted that the technology age has come to an end.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-26814
PUBLISHED: 2021-03-06
Wazuh API in Wazuh from 4.0.0 to 4.0.3 allows authenticated users to execute arbitrary code with administrative privileges via /manager/files URI. An authenticated user to the service may exploit incomplete input validation on the /manager/files API to inject arbitrary code within the API service sc...
CVE-2021-27581
PUBLISHED: 2021-03-05
The Blog module in Kentico CMS 5.5 R2 build 5.5.3996 allows SQL injection via the tagname parameter.
CVE-2021-28042
PUBLISHED: 2021-03-05
Deutsche Post Mailoptimizer 4.3 before 2020-11-09 allows Directory Traversal via a crafted ZIP archive to the Upload feature or the MO Connect component. This can lead to remote code execution.
CVE-2021-28041
PUBLISHED: 2021-03-05
ssh-agent in OpenSSH before 8.5 has a double free that may be relevant in a few less-common scenarios, such as unconstrained agent-socket access on a legacy operating system, or the forwarding of an agent to an attacker-controlled host.
CVE-2021-3377
PUBLISHED: 2021-03-05
The npm package ansi_up converts ANSI escape codes into HTML. In ansi_up v4, ANSI escape codes can be used to create HTML hyperlinks. Due to insufficient URL sanitization, this feature is affected by a cross-site scripting (XSS) vulnerability. This issue is fixed in v5.0.0.