@dcontesti wrote:
We do Security Awareness training, etc. but users still act before thinking.
I think that is exactly the point of the article. We keep pretending that we can make humans perfect, which has never been true. Instead, we need to shift tactics to make it easier for users to do the right thing, harder to do the wrong thing, and with reduced impact when they make a mistake.
A few quotes:
““I'm the cybersecurity director at NSA and you could absolutely craft a phishing message that would get me to click a link. You’ve got to design your architecture to assume the humans are humans and bad things will happen,” Rob Joyce, the director of cybersecurity at the NSA, said”
“The current push for secure by design is something we’ve got to apply to the cloud and it starts with secure by default. Cloud deployments are often optimized for ease of use rather than security. Those companies are getting better about the default being secure, but we’re not all the way there,” Joyce said.
I happen to agree with this. We (as an industry) have plenty of places where we can raise the bar, such as:
- Flag emails that have not been cryptographically signed and disable any embedded links.
- Increase dependency on tamper-resistant-MFA and password-less authentication, especially when being used from an unfamiliar location.
- Develop methods to positively identify the other party when money changes hands, including disclosure of the address to which legal notice can be served.
- Reduce the cost of extended validation certificates to encourage their adoption.
- Require a site to have an EV cert before passwords, credit cards or PII can be entered in the browser.
- Require executables to have been signed with an EV certificate.
- Secure the browser to server channel against MITM. Not just Adversary-in-the-middle, but anyone-in-the-middle, including administrator-in-the-middle.
