Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

8/13/2020
10:30 AM
Eric Parizo
Eric Parizo
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Black Hat USA 2020 Shines Spotlight on the Mental Challenges of Cybersecurity

Infosec practitioners face a variety of mental struggles in areas such as awareness training, problem solving, or general mental health. Several sessions at Black Hat USA 2020 highlighted these challenges and how to overcome them.

Cybersecurity success has always depended upon more than technology alone.

It requires techniques, tactics, and procedures, which in turn rely on imagination, problem-solving, and perseverance. Such mental acuities can be trained, and they can be exploited. And sometimes, the day-to-day psychological struggles of the job take their toll.

The mental aspects of cybersecurity often fail to receive the industry attention they deserve, so it was heartening that they were the focus of several fascinating sessions at Black Hat USA 2020.

Improving security awareness training with SafeMind

In a talk on evaluating and augmenting user resilience to social engineering attacks, Ben Gurion University researcher Ron Bitton highlighted how adversaries have ramped up their efforts. He noted that their techniques range well beyond phishing, and their target platforms often include mobile devices and social media networks.

With users facing an increasingly wide variety of cybersecurity threats, Bitton asserted that security awareness training often fails to prepare users to face the breadth of the threat spectrum. While a user may know how to sidestep one type of attack, according to Bitton, it is common for a user to be missing skills to mitigate other types of attacks.

To address the problem, Bitton discussed SafeMind, an emerging methodology and accompanying automated, scalable and objective framework for continuously evaluating the resilience of users to specific types of social engineering attacks.

Bitton asserted that SafeMind improves security awareness training, namely through an ongoing effort to analyze new social engineering case studies, identify the human factor vulnerabilities that were exploited, and teach users more effectively using a broad criteria including more than 30 techniques.

Users aren't always thrilled about security awareness training. Attempting to instruct them on dozens of different techniques can cause them to feel overwhelmed and become disinterested. However, an approach that encourages users to understand and consider risk in all contexts when making cybersecurity-related decisions is perhaps a more realistic approach.

Solving cybersecurity, one puzzle at a time

In his session at Black Hat USA 2020, PwC UK researcher Matt Wixey shared his passion for puzzles and riddles, and how what seem like fun and games can actually train the mind to take on the problems of cybersecurity.

Wixey, who has spent more than two years creating puzzles and riddles designed specifically for cybersecurity professionals, said successful high-level cognition boils down to problem-solving skills, such as understanding the scope of a problem and determining how to reach a solution through searching or calculation.

Information security problem solving is particularly challenging, Wixey noted, because of its knowledge-rich problems, meaning they often require acquisition of knowledge from sources outside of the problem itself.

Wixey advocates the use of a wide variety of puzzles and riddles to train the mind to better solve cybersecurity problems with a variety of techniques and strategies, including how to identify various types of problem schemas, and how to weigh individual biases such as experience bias and confirmation bias.

Effective problem-solves often share a number of common attributes, such as being open minded, thinking "outside the box" or creative approaches, willing to assimilate new information, curiosity, and stubbornness.

Exercising the mind is arguably just as important as exercising the body, and Wixey's gamification of problem-solving skills is a positive approach. Organizations should consider whether offering various types of puzzles and riddles can augment training, especially as a group exercise that can also build camaraderie among a team that must work together effectively to achieve successful outcomes.

A different kind of front-line worker

Despite the many positive and rewarding aspects of a career in cybersecurity, it can also take its toll.

In his Black Hat USA 2020 session, Securosis CEO and analyst Rich Mogull shared how lessons from his 20-plus-year career as a paramedic and emergency first responder have helped him learn how to overcome the mental and emotional challenges cybersecurity professionals face.

Cybersecurity and emergency medicine actually have quite a bit in common, Mogull said, such as highly technical requirements, rigorous training, high-pressure decision making, and the need for ongoing education.

Not surprisingly, Mogull added, workers in both fields face huge problems related to mental health, and specifically burnout. He said that in cybersecurity, like emergency medicine, the job is never done. Over time, facing the same challenges repeatedly makes workers feel like they are pushing a heavy boulder uphill, but can never reach the top.

Mogull said it is common for new cybersecurity practitioners to be highly enthusiastic in the first few years of their careers, excited by the challenge and eager to learn new skills, and a few years later feeling burned out.

For those earlier in their careers, Mogull advised identifying good role models with a positive mindset, and avoiding poor "Han Solo" types who have rigid thinking, a lack of empathy, and a survival mindset due to burnout.

In addition, he also recommended internalizing key processes and procedures by relying on checklists to avoid mistakes, embracing the positive side of challenges through the opportunity to learn continuously, and fighting against biases such as blaming the user who unknowingly clicks on that phishing URL.

Mogull also strongly advocated for the importance of mindfulness and process as the foundation of good mental health. That includes exercise, a good diet, and getting enough sleep; building a peer-support system that can help in tough times; and contributing to a positive workplace culture where fun is OK, vacations are encouraged, and toxic attitudes are addressed and avoided.

Indeed, cybersecurity's mental challenges aren't going away. And in a time when the combination of economic, health, and other societal stressors often seem overwhelming, the cybersecurity industry must continue to emphasize the importance of mental health. Talking about it openly and regularly will reduce the stigmas associated with it, and reinforce the importance of good mental health practices, as well as getting help when needed.

Kudos to Black Hat USA 2020 and its presenters for all of these sessions. They are a good start. Let's keep it going.

Related Content:

 

Eric Parizo supports Omdia's Cybersecurity Accelerator, its research practice supporting vendor, service provider, and enterprise clients in the area of enterprise cybersecurity. Eric covers global cybersecurity trends and top-tier vendors in North America. He has been ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Malware Attacks Declined But Became More Evasive in Q2
Jai Vijayan, Contributing Writer,  9/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15216
PUBLISHED: 2020-09-29
In goxmldsig (XML Digital Signatures implemented in pure Go) before version 1.1.0, with a carefully crafted XML file, an attacker can completely bypass signature validation and pass off an altered file as a signed one. A patch is available, all users of goxmldsig should upgrade to at least revisio...
CVE-2020-4607
PUBLISHED: 2020-09-29
IBM Security Secret Server (IBM Security Verify Privilege Vault Remote 1.2 ) could allow a local user to bypass security restrictions due to improper input validation. IBM X-Force ID: 184884.
CVE-2020-24565
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...
CVE-2020-25770
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...
CVE-2020-25771
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...