Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Security Experts, Not Users, Are the Weakest Link
Threaded  |  Newest First  |  Oldest First
REISEN1955
0%
100%
REISEN1955,
User Rank: Ninja
3/1/2019 | 10:43:08 AM
Different category
This is argumentative if you place a user on the same platform as a security expert.  They are entirely different animals.  Some users, no matter how much education is thrown at them - and we need more of that - listen up Security experts - do NOT get it ever.  They won't.  Why?  A thousand reasons, most ignorant of the tech stuff and some just live that way.  Security experts know more than users of course but have a different realm of responsbility.  WE know not to click on an attached invoice - but put a whitelist or watchlist in front of us and we are on a different planet.  No - we are both either as weak or strong as we choose to be. 
Luna Tsee
50%
50%
Luna Tsee,
User Rank: Apprentice
3/4/2019 | 2:15:19 PM
Who is at fault?

The analogy may not be perfect but it does make a valid point. Largely the issue of security is not one of blame, though there is some.

The point is simply the people responsible for security are patching holes in a bad design. Remote user identity is a problem. And until the password as the primary identity method is replaced with a better one, the problem will remain.

Enforcing security tools like 2FA, 2SA, Recapta, long and cryptic passwords and other requirements is making the user responsible for securing the system. Thus users must expend extra efforts and conform to content producers' requirements (dongles, RSA keys, smartcards, Upper case, lower case, special symbols, at least 13 characters, but no space, or non keyboard symbols) to conduct Internet intercourse makes the user "Prove Who They Are'. That's because the systems are not yet sophisticated enough to tell a human from a machine the real you from a 'clone'.

We have driver's licenses, passports, Charge Cards. None of these places such an extrordinary level of participation in identity.

It should not be the user's responsibility to secure the systems they interact with.

That's the problem. We can argue -Who's to blame: the User or CISO? all day but that doesn't solve the problem.

REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
3/5/2019 | 3:41:41 PM
Re: Who is at fault?
Secure password - use a SHA256 hash - easy to find if you have the noted file on another computer - extremely good security but hell to work with.  Supercalifragileisticexpealidocious also works with alternative charactter approach as does it backwards. 
Luna Tsee
50%
50%
Luna Tsee,
User Rank: Apprentice
3/4/2019 | 2:21:10 PM
Who is at fault?

The analogy may not be perfect but it does make a valid point. Largely the issue of security is not one of blame, though there is some.

The point is simply the people responsible for security are patching holes in a bad design. Remote user identity is a problem. And until the password as the primary identity method is replaced with a better one, the problem will remain.

Enforcing security tools like 2FA, 2SA, Recapta, long and cryptic passwords and other requirements is making the user responsible for securing the system. Thus users must expend extra efforts and conform to content producers' requirements (dongles, RSA keys, smartcards, Upper case, lower case, special symbols, at least 13 characters, but no space, or non keyboard symbols) to conduct Internet intercourse makes the user "Prove Who They Are'. That's because the systems are not yet sophisticated enough to tell a human from a machine the real you from a 'clone'.

We have driver's licenses, passports, Charge Cards. None of these places such an extrordinary level of participation in identity.

It should not be the user's responsibility to secure the systems they interact with.

That's the problem. We can argue -Who's to blame: the User or CISO? all day but that doesn't solve the problem.

paul.dittrich
100%
0%
paul.dittrich,
User Rank: Strategist
3/1/2019 | 11:28:44 AM
A badly-flawed analogy
Using CFO or COO as an example of effectively managing people-based security risks is a flawed analogy and very unfair to CISOs / CIOs.

The CFO has a very strong and extensive set of detailed legal and regulatory requirements which codify many years (centuries?) of experience countering bad actors both internal and external.  The solutions are well known and CFOs enjoy a very high success rate of preventing or quickly detecting problems.

The COO has an alphabet soup of groups (again, based on many years of experience) to provide detailed guidance on how to mandate "safe" working conditions and processes.  And the COO is very unlikely to worry about a single human crippling or even destroying the entire company.

The CISO/CIO has much weaker legal / regulatory support to handle a threat landscape which is still rapidly evolving.  And their worst nightmare is a single user who either willfully or accidentally causes a major problem - a breach or an outage.

Nor do the CFO and COO have to worry about a CEO who never ever says "No" to a developer.....
Thor7077
67%
33%
Thor7077,
User Rank: Apprentice
3/1/2019 | 12:15:04 PM
Must be a user
This sounds like a user with a bad experience blaming all the cyber security experts around them. It's like a patient upset their doctor isnt specialized to treat every problem they have just because they are a 'doctor'. As you have foot doctors, you don't call them a bad doctor because they don't know how to perform heart surgery. Cyber folks aren't your one size fits all fix either, they have their strengths/specializations in some areas that just can't fix the whole entire architectures problems. This article was nothing more than a finger to point
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
3/4/2019 | 10:47:23 AM
Re: Must be a user!!!
i deleted my secondary comment as it was unfair but i am with a major firm in a malware forensics unit and deal with users all day long.  My real feeling is that to compare and lump users in with security pro is an unfair mirror.  Both have issues but entirely different.  i do wish that security pros would be allowed or advocated by the C-Suite to educate users more than they do. 
paul.dittrich
0%
100%
paul.dittrich,
User Rank: Strategist
3/1/2019 | 12:39:52 PM
Re: A badly-flawed analogy
Please see paragraph 4 of the original column.  Both CFO and COO are used as examples.
J3R3
100%
0%
J3R3,
User Rank: Apprentice
3/1/2019 | 1:23:17 PM
Flawed Analogy
If CFO's and COO's did not view users as the weak link in accounting and operations processes then there would not need to be consequences for users failing to follow the appropriate processes. There would also not need to be separation of duties, or cross training, or mandatory vacations. We could completely do away with audit departments and all of those government oversight positions would not exist. We have all of these things because CFO's and COO's have always known that users are the weakest link and these are the detective and preventative controls that have been created to reduce the risk inherent with having humans as employees. 

Mr. Winkler seems to be misunderstanding the meaning of "users are the weakest link."
jeffmaley
50%
50%
jeffmaley,
User Rank: Strategist
3/1/2019 | 1:45:33 PM
This column is flawed.
Users are absolutely the weakest link. You say that any COO or CFO that said that would be fired, but what we're seeing is a consistent trend towardsa automation, removing the user. Everyone agrees that people are flawed and the things they do are flawed. Pretending that's not the case is ignoring the obvious data to the contrary and waving away a valid problem. 

Your proposed solution is literally every mature information security management system. You've put forth nothing new or innovative and are instead rehashing old ideas, ideas that are tried and true but could certainly be improved. I agree that awareness programs do not go far enough, but the solution isn't to give up, the solution is to make them better. Instead of awareness programs, we should be using evangelical programs. To reach the user community, we need to do a better job of encouraging, educating, and making them cognizant of their involvement in the process. If we're excited about security, we can help them be excited about security, too.
BradleyRoss
50%
50%
BradleyRoss,
User Rank: Moderator
3/3/2019 | 7:55:47 PM
water is wet
If security management management is saying that they can't provide security as long as somebody on the system might open a phishing email, they should be fired and the ashes distributed as a warning to future management. Part of the idea of least privilege, two man rules, and other similar techniques is to limit the ability of a single action by a user to compromise the system. There should also be limits on what users can access from outside a controlled environment.

If you manage a computer system, you have to assume that two or three of the software tools are completely compromised, and you don't know which components are damaged. It's called eliminating single point of failure vulnerabilities, and identifying sections of fault trees where two or three problems can cause a disaster. Look at the design methods for nuclear reactors, aircraft, automobiles, and the handling of toxic materials.

Security is expensive

Security is not convenient

Security requires you to think

Live with it or it will kill you 
BradleyRoss
100%
0%
BradleyRoss,
User Rank: Moderator
3/3/2019 | 8:10:23 PM
Water is Wet
If security management management is saying that they can't provide security as long as somebody on the system might open a phishing email, they should be fired and the ashes distributed as a warning to future management.  Part of the idea of least privilege, two man rules, and other similar techniques is to limit the ability of a single action by a user to compromise the system.  There should also be limits on what users can access from outside a controlled environment.

If you manage a computer system, you have to assume that two or three of the software tools are completely compromised, and you don't know which xomponents are damaged.  It's called eliminating single point of failure vulnerabilities and identifying sections of fault trees where two or three problems can xause a disaster.  Look at the design methoss for nuclear reactors, aircxraft, automobiles, and the handling of toxic materials.

Security is expensive

Security is not convenient

Security requires you to think and understand

Live with it or it will kill you


DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6852
PUBLISHED: 2019-11-20
A CWE-200: Information Exposure vulnerability exists in Modicon Controllers (M340 CPUs, M340 communication modules, Premium CPUs, Premium communication modules, Quantum CPUs, Quantum communication modules - see security notification for specific versions), which could cause the disclosure of FTP har...
CVE-2019-6853
PUBLISHED: 2019-11-20
A CWE-79: Failure to Preserve Web Page Structure vulnerability exists in Andover Continuum (models 9680, 5740 and 5720, bCX4040, bCX9640, 9900, 9940, 9924 and 9702) , which could enable a successful Cross-site Scripting (XSS attack) when using the products web server.
CVE-2013-2092
PUBLISHED: 2019-11-20
Cross-site Scripting (XSS) in Dolibarr ERP/CRM 3.3.1 allows remote attackers to inject arbitrary web script or HTML in functions.lib.php.
CVE-2013-2093
PUBLISHED: 2019-11-20
Dolibarr ERP/CRM 3.3.1 does not properly validate user input in viewimage.php and barcode.lib.php which allows remote attackers to execute arbitrary commands.
CVE-2015-3166
PUBLISHED: 2019-11-20
The snprintf implementation in PostgreSQL before 9.0.20, 9.1.x before 9.1.16, 9.2.x before 9.2.11, 9.3.x before 9.3.7, and 9.4.x before 9.4.2 does not properly handle system-call errors, which allows attackers to obtain sensitive information or have other unspecified impact via unknown vectors, as d...