Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Security Experts, Not Users, Are the Weakest Link
Threaded  |  Newest First  |  Oldest First
REISEN1955
0%
100%
REISEN1955,
User Rank: Ninja
3/1/2019 | 10:43:08 AM
Different category
This is argumentative if you place a user on the same platform as a security expert.  They are entirely different animals.  Some users, no matter how much education is thrown at them - and we need more of that - listen up Security experts - do NOT get it ever.  They won't.  Why?  A thousand reasons, most ignorant of the tech stuff and some just live that way.  Security experts know more than users of course but have a different realm of responsbility.  WE know not to click on an attached invoice - but put a whitelist or watchlist in front of us and we are on a different planet.  No - we are both either as weak or strong as we choose to be. 
Luna Tsee
50%
50%
Luna Tsee,
User Rank: Apprentice
3/4/2019 | 2:15:19 PM
Who is at fault?

The analogy may not be perfect but it does make a valid point. Largely the issue of security is not one of blame, though there is some.

The point is simply the people responsible for security are patching holes in a bad design. Remote user identity is a problem. And until the password as the primary identity method is replaced with a better one, the problem will remain.

Enforcing security tools like 2FA, 2SA, Recapta, long and cryptic passwords and other requirements is making the user responsible for securing the system. Thus users must expend extra efforts and conform to content producers' requirements (dongles, RSA keys, smartcards, Upper case, lower case, special symbols, at least 13 characters, but no space, or non keyboard symbols) to conduct Internet intercourse makes the user "Prove Who They Are'. That's because the systems are not yet sophisticated enough to tell a human from a machine the real you from a 'clone'.

We have driver's licenses, passports, Charge Cards. None of these places such an extrordinary level of participation in identity.

It should not be the user's responsibility to secure the systems they interact with.

That's the problem. We can argue -Who's to blame: the User or CISO? all day but that doesn't solve the problem.

REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
3/5/2019 | 3:41:41 PM
Re: Who is at fault?
Secure password - use a SHA256 hash - easy to find if you have the noted file on another computer - extremely good security but hell to work with.  Supercalifragileisticexpealidocious also works with alternative charactter approach as does it backwards. 
Luna Tsee
50%
50%
Luna Tsee,
User Rank: Apprentice
3/4/2019 | 2:21:10 PM
Who is at fault?

The analogy may not be perfect but it does make a valid point. Largely the issue of security is not one of blame, though there is some.

The point is simply the people responsible for security are patching holes in a bad design. Remote user identity is a problem. And until the password as the primary identity method is replaced with a better one, the problem will remain.

Enforcing security tools like 2FA, 2SA, Recapta, long and cryptic passwords and other requirements is making the user responsible for securing the system. Thus users must expend extra efforts and conform to content producers' requirements (dongles, RSA keys, smartcards, Upper case, lower case, special symbols, at least 13 characters, but no space, or non keyboard symbols) to conduct Internet intercourse makes the user "Prove Who They Are'. That's because the systems are not yet sophisticated enough to tell a human from a machine the real you from a 'clone'.

We have driver's licenses, passports, Charge Cards. None of these places such an extrordinary level of participation in identity.

It should not be the user's responsibility to secure the systems they interact with.

That's the problem. We can argue -Who's to blame: the User or CISO? all day but that doesn't solve the problem.

paul.dittrich
100%
0%
paul.dittrich,
User Rank: Strategist
3/1/2019 | 11:28:44 AM
A badly-flawed analogy
Using CFO or COO as an example of effectively managing people-based security risks is a flawed analogy and very unfair to CISOs / CIOs.

The CFO has a very strong and extensive set of detailed legal and regulatory requirements which codify many years (centuries?) of experience countering bad actors both internal and external.  The solutions are well known and CFOs enjoy a very high success rate of preventing or quickly detecting problems.

The COO has an alphabet soup of groups (again, based on many years of experience) to provide detailed guidance on how to mandate "safe" working conditions and processes.  And the COO is very unlikely to worry about a single human crippling or even destroying the entire company.

The CISO/CIO has much weaker legal / regulatory support to handle a threat landscape which is still rapidly evolving.  And their worst nightmare is a single user who either willfully or accidentally causes a major problem - a breach or an outage.

Nor do the CFO and COO have to worry about a CEO who never ever says "No" to a developer.....
Thor7077
67%
33%
Thor7077,
User Rank: Apprentice
3/1/2019 | 12:15:04 PM
Must be a user
This sounds like a user with a bad experience blaming all the cyber security experts around them. It's like a patient upset their doctor isnt specialized to treat every problem they have just because they are a 'doctor'. As you have foot doctors, you don't call them a bad doctor because they don't know how to perform heart surgery. Cyber folks aren't your one size fits all fix either, they have their strengths/specializations in some areas that just can't fix the whole entire architectures problems. This article was nothing more than a finger to point
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
3/4/2019 | 10:47:23 AM
Re: Must be a user!!!
i deleted my secondary comment as it was unfair but i am with a major firm in a malware forensics unit and deal with users all day long.  My real feeling is that to compare and lump users in with security pro is an unfair mirror.  Both have issues but entirely different.  i do wish that security pros would be allowed or advocated by the C-Suite to educate users more than they do. 
paul.dittrich
0%
100%
paul.dittrich,
User Rank: Strategist
3/1/2019 | 12:39:52 PM
Re: A badly-flawed analogy
Please see paragraph 4 of the original column.  Both CFO and COO are used as examples.
J3R3
100%
0%
J3R3,
User Rank: Apprentice
3/1/2019 | 1:23:17 PM
Flawed Analogy
If CFO's and COO's did not view users as the weak link in accounting and operations processes then there would not need to be consequences for users failing to follow the appropriate processes. There would also not need to be separation of duties, or cross training, or mandatory vacations. We could completely do away with audit departments and all of those government oversight positions would not exist. We have all of these things because CFO's and COO's have always known that users are the weakest link and these are the detective and preventative controls that have been created to reduce the risk inherent with having humans as employees. 

Mr. Winkler seems to be misunderstanding the meaning of "users are the weakest link."
jeffmaley
50%
50%
jeffmaley,
User Rank: Strategist
3/1/2019 | 1:45:33 PM
This column is flawed.
Users are absolutely the weakest link. You say that any COO or CFO that said that would be fired, but what we're seeing is a consistent trend towardsa automation, removing the user. Everyone agrees that people are flawed and the things they do are flawed. Pretending that's not the case is ignoring the obvious data to the contrary and waving away a valid problem. 

Your proposed solution is literally every mature information security management system. You've put forth nothing new or innovative and are instead rehashing old ideas, ideas that are tried and true but could certainly be improved. I agree that awareness programs do not go far enough, but the solution isn't to give up, the solution is to make them better. Instead of awareness programs, we should be using evangelical programs. To reach the user community, we need to do a better job of encouraging, educating, and making them cognizant of their involvement in the process. If we're excited about security, we can help them be excited about security, too.
BradleyRoss
50%
50%
BradleyRoss,
User Rank: Moderator
3/3/2019 | 7:55:47 PM
water is wet
If security management management is saying that they can't provide security as long as somebody on the system might open a phishing email, they should be fired and the ashes distributed as a warning to future management. Part of the idea of least privilege, two man rules, and other similar techniques is to limit the ability of a single action by a user to compromise the system. There should also be limits on what users can access from outside a controlled environment.

If you manage a computer system, you have to assume that two or three of the software tools are completely compromised, and you don't know which components are damaged. It's called eliminating single point of failure vulnerabilities, and identifying sections of fault trees where two or three problems can cause a disaster. Look at the design methods for nuclear reactors, aircraft, automobiles, and the handling of toxic materials.

Security is expensive

Security is not convenient

Security requires you to think

Live with it or it will kill you 
BradleyRoss
100%
0%
BradleyRoss,
User Rank: Moderator
3/3/2019 | 8:10:23 PM
Water is Wet
If security management management is saying that they can't provide security as long as somebody on the system might open a phishing email, they should be fired and the ashes distributed as a warning to future management.  Part of the idea of least privilege, two man rules, and other similar techniques is to limit the ability of a single action by a user to compromise the system.  There should also be limits on what users can access from outside a controlled environment.

If you manage a computer system, you have to assume that two or three of the software tools are completely compromised, and you don't know which xomponents are damaged.  It's called eliminating single point of failure vulnerabilities and identifying sections of fault trees where two or three problems can xause a disaster.  Look at the design methoss for nuclear reactors, aircxraft, automobiles, and the handling of toxic materials.

Security is expensive

Security is not convenient

Security requires you to think and understand

Live with it or it will kill you


AI Is Everywhere, but Don't Ignore the Basics
Howie Xu, Vice President of AI and Machine Learning at Zscaler,  9/10/2019
Fed Kaspersky Ban Made Permanent by New Rules
Dark Reading Staff 9/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-4147
PUBLISHED: 2019-09-16
IBM Sterling File Gateway 2.2.0.0 through 6.0.1.0 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 158413.
CVE-2019-5481
PUBLISHED: 2019-09-16
Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.
CVE-2019-5482
PUBLISHED: 2019-09-16
Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.
CVE-2019-15741
PUBLISHED: 2019-09-16
An issue was discovered in GitLab Omnibus 7.4 through 12.2.1. An unsafe interaction with logrotate could result in a privilege escalation
CVE-2019-16370
PUBLISHED: 2019-09-16
The PGP signing plugin in Gradle before 6.0 relies on the SHA-1 algorithm, which might allow an attacker to replace an artifact with a different one that has the same SHA-1 message digest, a related issue to CVE-2005-4900.