cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Caute_cautim
Community Champion

Thought of the day

Hi All

 

 

The Cybersecurity Director for NSA states:  "You’ve got to design your architecture to assume the humans are humans and bad things will happen."

 

Do you agree with his comments or do you have different thoughts?

 

https://duo.com/decipher/assume-the-humans-are-human-and-bad-things-will-happen

 

Regards

 

Caute_Cautim

 

 

4 Replies
dcontesti
Community Champion

Many moons ago when I first started in Security, the FBI were stating that 85% of cybercrime was caused by humans. 

 

Unfortunately, I do not think that that number has changed drastically.  We do Security Awareness training, etc. but users still act before thinking.

 

my thoughts

 

d

 

Caute_cautim
Community Champion

@dcontesti 

 

I tend to agree, with the advent of Chatbots, this will probably increase exponentially due to the fact they will believe anything that makes their job easier to do with greater productivity.

 

Who will be left to mop up the mess?   Us as usual....

 

Regards

 

Caute_Cautim

denbesten
Community Champion


@dcontesti wrote:

 We do Security Awareness training, etc. but users still act before thinking.

I think that is exactly the point of the article.  We keep pretending that we can make humans perfect, which has never been true.  Instead, we need to shift tactics to make it easier for users to do the right thing, harder to do the wrong thing, and with reduced impact when they make a mistake.

 

A few quotes:

 

““I'm the cybersecurity director at NSA and you could absolutely craft a phishing message that would get me to click a link. You’ve got to design your architecture to assume the humans are humans and bad things will happen,” Rob Joyce, the director of cybersecurity at the NSA, said”

 

“The current push for secure by design is something we’ve got to apply to the cloud and it starts with secure by default. Cloud deployments are often optimized for ease of use rather than security. Those companies are getting better about the default being secure, but we’re not all the way there,” Joyce said.

 

I happen to agree with this.  We (as an industry) have plenty of places where we can raise the bar, such as:

  1. Flag emails that have not been cryptographically signed and disable any embedded links.
  2. Increase dependency on tamper-resistant-MFA and password-less authentication, especially when being used from an unfamiliar location.
  3. Develop methods to positively identify the other party when money changes hands, including disclosure of the address to which legal notice can be served.
  4. Reduce the cost of extended validation certificates to encourage their adoption.
  5. Require a site to have an EV cert before passwords, credit cards or PII can be entered in the browser.
  6. Require executables to have been signed with an EV certificate.
  7. Secure the browser to server channel against MITM.  Not just Adversary-in-the-middle, but anyone-in-the-middle, including administrator-in-the-middle.
Steve-Wilme
Advocate II

It reminds me of Bruce Schneier essay on security psychology:

https://www.schneier.com/essays/archives/2007/05/psychology_of_securi.html

 

Which is along the same line are the work on heuristics and biases of Kahneman and Tversky.

Humans make flawed judgements and focus on the wrong things in security and in doing so often forget the basics.

 

 

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS