The Cybersecurity Director for NSA states: "You’ve got to design your architecture to assume the humans are humans and bad things will happen."
Do you agree with his comments or do you have different thoughts?
Many moons ago when I first started in Security, the FBI were stating that 85% of cybercrime was caused by humans.
Unfortunately, I do not think that that number has changed drastically. We do Security Awareness training, etc. but users still act before thinking.
I tend to agree, with the advent of Chatbots, this will probably increase exponentially due to the fact they will believe anything that makes their job easier to do with greater productivity.
Who will be left to mop up the mess? Us as usual....
We do Security Awareness training, etc. but users still act before thinking.
I think that is exactly the point of the article. We keep pretending that we can make humans perfect, which has never been true. Instead, we need to shift tactics to make it easier for users to do the right thing, harder to do the wrong thing, and with reduced impact when they make a mistake.
A few quotes:
““I'm the cybersecurity director at NSA and you could absolutely craft a phishing message that would get me to click a link. You’ve got to design your architecture to assume the humans are humans and bad things will happen,” Rob Joyce, the director of cybersecurity at the NSA, said”
“The current push for secure by design is something we’ve got to apply to the cloud and it starts with secure by default. Cloud deployments are often optimized for ease of use rather than security. Those companies are getting better about the default being secure, but we’re not all the way there,” Joyce said.
I happen to agree with this. We (as an industry) have plenty of places where we can raise the bar, such as:
It reminds me of Bruce Schneier essay on security psychology:
Which is along the same line are the work on heuristics and biases of Kahneman and Tversky.
Humans make flawed judgements and focus on the wrong things in security and in doing so often forget the basics.