02:30 PM
Peter Hesse
Peter Hesse
Connect Directly
E-Mail vvv

Security Starts with the User Experience

Preventing a data breach is safer and more cost-effective than dealing with a breach after it has already happened. That means a focus on security in the design phase.

In a 1912 poem by Joseph Malins, a village debates how best to deal with a dangerous cliff. The town is torn over the decision whether to build a fence around the edge of the cliff or place an ambulance down in the valley. The townspeople decide to fund an ambulance, until a wise man suggests a preventative approach:

Then an old sage remarked, "It's a marvel to me
that people give far more attention
to repairing results than to stopping the cause, 
when they'd much better aim at prevention."

There's no question that preventing a data breach is much safer and more cost-effective than dealing with a breach after it has already occurred. Implementing specialized tools and tactics for data breach response is reactive, like funding the ambulance in the valley. Many breaches, both accidental ones based on user error and malicious attacks, could have been avoided had companies thought about security in the product design phase — if there had only been a "fence" built into the user experience.

The most recent example can be seen in the missile alert that was incorrectly sent to Hawaiians in January 2018. An investigation into the incident determined "that insufficient management controls, poor computer software design and human factors contributed" to the alert and a delayed correction message. While it is impossible to say that the situation could have been totally avoided, a design that deterred sending out actual alerts could have made quite a difference. What might have happened if after the employee had clicked to send the alert, he was prompted with a second step to acknowledge the gravity of his actions, or if a supervisor's approval was required? Changing the user experience could have helped prevent this unintended scare.

Another recent breach that could have been avoided or lessened by secure design is the 2017 Republican National Committee data breach, when it was discovered that a database containing personal details of more than 198 million American voters was exposed. The data was left unprotected after a software upgrade, when the analytics company storing files containing the information failed to re-enable password protection.

As with most breaches, there were numerous failures in this situation. This large amount of sensitive information deserved better protection than a simple website password as its defense. The fact that the upgrade required the password protection to be removed is bad; the fact that the upgrade didn't notify IT personnel to re-enable it is worse. Additionally, the ideal design would have separated the names of the voters from their information altogether.

According to the 2017 Beazley Breach Insights report, unintended disclosures were the cause of a shocking 42% of healthcare-related breaches. These breaches typically are caused by employee error, such as misdirected faxes or improperly released discharge papers. As these processes increasingly are done digitally, properly designed user interfaces can help to reduce or eliminate human error. Additionally, they can warn individuals of risky behaviors before they happen. Imagine seeing a warning that said "You are about to export 135 medical records without encryption. Disclosure of this file could result in up to $6.75 million of HIPAA fines. Do you want to continue?"

Opportunities to protect information in advance arise every day, and not only in the situations involving publicized failures. Consider, for example, an application to help accountants prepare their clients' taxes. This app would collect tax information and store tax returns for easy access. The app should make it very easy for the accountant to search for and view relevant information. However, the application should be designed in a way that makes it very difficult to download an Excel sheet documenting all their clients' Social Security numbers and income. Instead of a simple export button, the designer could implement an approval process, or it could just be difficult to aggregate such information. It would also make sense to warn the user before sensitive information is downloaded in bulk — and inform supervisory personnel as well. The goal for the designer is to give an incentive for safe and secure use, and mitigate or prevent system abuse.

Real and hypothetical situations to protect information with better user experience exist across all industries and types of systems. It is easy to show how a design flaw could create a crisis, while prudent design could prevent or minimize the likelihood of one. The best mechanism to prevent these crises is at the design stage. Developers must always consider making it easier for individuals to do the safer activities, and harder for them to do the unsafe ones. Take the advice of the sage and spend the time to build the fence, rather than calling for an ambulance later.

Related Content:


Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

For nearly two decades, Peter Hesse has leveraged his passion for technology and experience in security to develop successful solutions to interesting problems. From an exciting start developing the reference implementation of a standards-based certification authority for the ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Strategist
2/28/2018 | 11:36:01 AM
Security Starts with the User Experience
@Michael: "...companies think that users with legitimate access to sensitive data are the biggest risk..." The problem is that any data might become "sensitive data" when combined with other data; and that other data might not be considered "sensitive" either, and doesn't have to be from the same data source. 

@Peter: You raise some good points, including the need to emphasize prevention over remediation.  Changing attitudes and practices in application development won't be easy; and there are limitations to the effectiveness of safeguards at the application-user experience level (they really belong closer to the data).  Partly that's the inherent problem of anticipating all of the ways user interaction might compromise security - when you think you've thought of everything, someone will surprise you (usually by doing something very clever or unimaginably dumb).  Also, the user experience part of it nearly always trumps security concerns; so anything that encumbers or makes that experience less enticing will likely be vetoed.  There's another concern that pushes security to the back of the bus: revenue.  From a developer's perspective: compromise the user experience or the revenue stream, and you get immediate, and invariably negative, feedback.  Compromise security, and it might never get back to you - so how would you set your priorities? 
Michael Fimin Netwrix
Michael Fimin Netwrix,
User Rank: Author
2/28/2018 | 4:59:50 AM
Insiders are the weakest link in your security
This is so true! No matter how much effort and investments you have put in your security, your business users can derail all your work in a couple of minutes. Most companies think that users with legitimate access to sensitive data are the biggest risk, and the only way to try to fix that is to educate them and raise cyber security awareness. In addition, you always should have visibility into your IT infrastructure to check if your employees follow security policies established in your company. 
The Case for Integrating Physical Security & Cybersecurity
Paul Kurtz, CEO & Cofounder, TruSTAR Technology,  3/20/2018
A Look at Cybercrime's Banal Nature
Curtis Franklin Jr., Senior Editor at Dark Reading,  3/20/2018
City of Atlanta Hit with Ransomware Attack
Dark Reading Staff 3/23/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.