Endpoint

2/27/2018
02:30 PM
Peter Hesse
Peter Hesse
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Security Starts with the User Experience

Preventing a data breach is safer and more cost-effective than dealing with a breach after it has already happened. That means a focus on security in the design phase.

In a 1912 poem by Joseph Malins, a village debates how best to deal with a dangerous cliff. The town is torn over the decision whether to build a fence around the edge of the cliff or place an ambulance down in the valley. The townspeople decide to fund an ambulance, until a wise man suggests a preventative approach:

Then an old sage remarked, "It's a marvel to me
that people give far more attention
to repairing results than to stopping the cause, 
when they'd much better aim at prevention."

There's no question that preventing a data breach is much safer and more cost-effective than dealing with a breach after it has already occurred. Implementing specialized tools and tactics for data breach response is reactive, like funding the ambulance in the valley. Many breaches, both accidental ones based on user error and malicious attacks, could have been avoided had companies thought about security in the product design phase — if there had only been a "fence" built into the user experience.

The most recent example can be seen in the missile alert that was incorrectly sent to Hawaiians in January 2018. An investigation into the incident determined "that insufficient management controls, poor computer software design and human factors contributed" to the alert and a delayed correction message. While it is impossible to say that the situation could have been totally avoided, a design that deterred sending out actual alerts could have made quite a difference. What might have happened if after the employee had clicked to send the alert, he was prompted with a second step to acknowledge the gravity of his actions, or if a supervisor's approval was required? Changing the user experience could have helped prevent this unintended scare.

Another recent breach that could have been avoided or lessened by secure design is the 2017 Republican National Committee data breach, when it was discovered that a database containing personal details of more than 198 million American voters was exposed. The data was left unprotected after a software upgrade, when the analytics company storing files containing the information failed to re-enable password protection.

As with most breaches, there were numerous failures in this situation. This large amount of sensitive information deserved better protection than a simple website password as its defense. The fact that the upgrade required the password protection to be removed is bad; the fact that the upgrade didn't notify IT personnel to re-enable it is worse. Additionally, the ideal design would have separated the names of the voters from their information altogether.

According to the 2017 Beazley Breach Insights report, unintended disclosures were the cause of a shocking 42% of healthcare-related breaches. These breaches typically are caused by employee error, such as misdirected faxes or improperly released discharge papers. As these processes increasingly are done digitally, properly designed user interfaces can help to reduce or eliminate human error. Additionally, they can warn individuals of risky behaviors before they happen. Imagine seeing a warning that said "You are about to export 135 medical records without encryption. Disclosure of this file could result in up to $6.75 million of HIPAA fines. Do you want to continue?"

Opportunities to protect information in advance arise every day, and not only in the situations involving publicized failures. Consider, for example, an application to help accountants prepare their clients' taxes. This app would collect tax information and store tax returns for easy access. The app should make it very easy for the accountant to search for and view relevant information. However, the application should be designed in a way that makes it very difficult to download an Excel sheet documenting all their clients' Social Security numbers and income. Instead of a simple export button, the designer could implement an approval process, or it could just be difficult to aggregate such information. It would also make sense to warn the user before sensitive information is downloaded in bulk — and inform supervisory personnel as well. The goal for the designer is to give an incentive for safe and secure use, and mitigate or prevent system abuse.

Real and hypothetical situations to protect information with better user experience exist across all industries and types of systems. It is easy to show how a design flaw could create a crisis, while prudent design could prevent or minimize the likelihood of one. The best mechanism to prevent these crises is at the design stage. Developers must always consider making it easier for individuals to do the safer activities, and harder for them to do the unsafe ones. Take the advice of the sage and spend the time to build the fence, rather than calling for an ambulance later.

Related Content:

 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

For nearly two decades, Peter Hesse has leveraged his passion for technology and experience in security to develop successful solutions to interesting problems. From an exciting start developing the reference implementation of a standards-based certification authority for the ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
BrianN060
50%
50%
BrianN060,
User Rank: Ninja
2/28/2018 | 11:36:01 AM
Security Starts with the User Experience
@Michael: "...companies think that users with legitimate access to sensitive data are the biggest risk..." The problem is that any data might become "sensitive data" when combined with other data; and that other data might not be considered "sensitive" either, and doesn't have to be from the same data source. 

@Peter: You raise some good points, including the need to emphasize prevention over remediation.  Changing attitudes and practices in application development won't be easy; and there are limitations to the effectiveness of safeguards at the application-user experience level (they really belong closer to the data).  Partly that's the inherent problem of anticipating all of the ways user interaction might compromise security - when you think you've thought of everything, someone will surprise you (usually by doing something very clever or unimaginably dumb).  Also, the user experience part of it nearly always trumps security concerns; so anything that encumbers or makes that experience less enticing will likely be vetoed.  There's another concern that pushes security to the back of the bus: revenue.  From a developer's perspective: compromise the user experience or the revenue stream, and you get immediate, and invariably negative, feedback.  Compromise security, and it might never get back to you - so how would you set your priorities? 
Michael Fimin Netwrix
50%
50%
Michael Fimin Netwrix,
User Rank: Author
2/28/2018 | 4:59:50 AM
Insiders are the weakest link in your security
This is so true! No matter how much effort and investments you have put in your security, your business users can derail all your work in a couple of minutes. Most companies think that users with legitimate access to sensitive data are the biggest risk, and the only way to try to fix that is to educate them and raise cyber security awareness. In addition, you always should have visibility into your IT infrastructure to check if your employees follow security policies established in your company. 
Why CISOs Need a Security Reality Check
Joel Fulton, Chief Information Security Officer for Splunk,  6/13/2018
Cisco Talos Summit: Network Defenders Not Serious Enough About Attacks
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2018
Meet 'Bro': The Best-Kept Secret of Network Security
Greg Bell, CEO, Corelight,  6/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-12294
PUBLISHED: 2018-06-19
WebCore/platform/graphics/texmap/TextureMapperLayer.cpp in WebKit, as used in WebKitGTK+ prior to version 2.20.2, is vulnerable to a use after free for a WebCore::TextureMapperLayer object.
CVE-2018-12519
PUBLISHED: 2018-06-19
An issue was discovered in ShopNx through 2017-11-17. The vulnerability allows a remote attacker to upload any malicious file to a Node.js application. An attacker can upload a malicious HTML file that contains a JavaScript payload to steal a user's credentials.
CVE-2018-12588
PUBLISHED: 2018-06-19
Cross-site scripting (XSS) vulnerability in templates/frontend/pages/searchResults.tpl in Public Knowledge Project (PKP) Open Monograph Press (OMP) v1.2.0 through 3.1.1-1 before 3.1.1-2 allows remote attackers to inject arbitrary web script or HTML via the catalog.noTitlesSearch parameter (aka the S...
CVE-2018-10811
PUBLISHED: 2018-06-19
strongSwan 5.6.0 and older allows Remote Denial of Service because of Missing Initialization of a Variable.
CVE-2018-10945
PUBLISHED: 2018-06-19
The mg_handle_cgi function in mongoose.c in Mongoose 6.11 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash, or NULL pointer dereference) via an HTTP request, related to the mbuf_insert function.