The Weakest Link Revisited E042 2024 11 13A Bit of Security for November 13, 2024
Too often we still hear people echoing one of the most pernicious phrases in cybersecurity: the user is the weakest link. My colleague Jonathan Care recently posted a helpful, insightful essay that cast a new light on the overall issue. Called “Insider Threats are the New Black: When Your Trusted Employees Go Rogue” it appears on LinkedIn and under the CISO Intelligence dot CO URL.
To recap: there are two reasons code develops a security problem: either there is a bug in the code, or there is a defect in the user interface. I exclude the “weak link” insult by noting that if a piece of software leads me to make a bad choice, the bug is in the interface, not in the user. A user interface designer must account for the user experience, and make sure that the user’s possible interpretations and actions are properly anticipated.
For reference, consider how cars evolved over the past few decades. In the 1950s and before, mechanics and automotive designers would remark that the least reliable part of the car was “the nut behind the wheel.” Crashes were the driver’s fault. Only with the publication of “Unsafe at Any Speed” by Ralph Nader in 1965 did the US begin to allow product liability lawsuits against auto manufacturers, which eventually led to the manufacturers’ asking for a set of standards that would define safety. By conforming to those standards, cars would be shielded from liability.
Now we have cars that ring an alarm if you try to drive without wearing your seat belt. There are additional capabilities that can prevent a driver from operating the vehicle if he or she is intoxicated. But, what if a driver wants to do something intentionally dangerous? That’s where Jonathan’s article fills in the gap. You cannot design a car that can drive safely through a building. You cannot write a piece of software that prohibits a user from doing something explicitly wrong. That user is an insider threat.
We need to reduce code defects. We need to make user authentication reliable so a bad actor cannot mislead a user into giving up control of their environment. But if the authenticated user is themselves a bad actor, there isn’t much that software can do. In that case, the weak link isn’t the user, but the HR department that didn’t vet the individual properly, the supervisor that failed to notice what the individual was doing, and the business processes that failed to put separation of duties protections around the most valuable assets.
The Weakest Link Revisited
A Bit of Security for November 13, 2024
My colleague Jonathan Care recently published a piece on the Insider Threat which completes an argument I’ve been working on for quite a while. Listen to this -
Let me know what you think in the comments below or at wjmalik@noc.social
#cybersecuritytips #privacy #AILaw #socialmedia #resilience # #BitofSec
Музыка
Фильмы
ТВ Шоу
Категории видео
