Endpoint

12/5/2018
10:30 AM
Ira Winkler
Ira Winkler
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

The Case for a Human Security Officer

Wanted: a security exec responsible for identifying and mitigating the attack vectors and vulnerabilities specifically targeting and involving people.

It is clear that end users are a major, if not the primary, attack vector for most significant attacks. Whether using phishing, traditional social engineering, or physical compromise, sophisticated attackers know that it is easier for them to find a successful entry point into an organization by targeting users instead of by probing for technology weaknesses. As important, well-meaning users cause more damage in aggregate than malicious parties ever could. In response, there is a focus on trying to make users more resilient through awareness.

The reality is that this works to an extent, but more is required.

Technology is in place to stop user actions in advance, as it should be. In the safety field, it is believed that around 90% of workplace accidents are avoided by creating an environment that prevents employees from being exposed to situations where they can be injured. For example, in one factory where employees were frequently struck by forklifts, they painted a line down aisles, creating distinct walkways. This one change alone reduced almost all accidents involving forklifts. The remainder of the incidents were the result of walkers who were looking at their cellphones and drifted into the forklift because they weren't paying attention.

In the cybersecurity world, one equivalent of creating a secure environment is anti-malware software, spam filters, and PC protections that prevent users from installing software. Creating a secure environment filters out more than 99.9% of potential attacks before they can reach the user, or stops the user from causing damage. But clearly, attacks still make it through, which means awareness is still necessary to reduce the risk.

The truth is that awareness programs should focus on how users should do their jobs properly and not on what they should be afraid of. This requires a definition of proper governance. You cannot expect users to detect every possible trick, but they should at least be able to follow proper procedures in how to act appropriately.

Focus on the User
While in general most companies have some form of software to defend against attacks reaching users, some form of awareness, and something that resembles policies and procedures, these efforts are uncoordinated and haphazard. There is no focused effort to stop specific attacks or user actions.

To address this concern, what is required is a position that I call the human security officer (HSO), who is responsible for specifically identifying the different attack vectors and vulnerabilities involving people. The HSO examines where problems may arise and identifies the optimal ways to prevent, detect, and respond to the attacks or user actions.

Some people may contend that this is the job of the CISO or perhaps an awareness manager. The reality is that awareness people have a very specific role and focus on providing information to people in an attempt to get them to improve their security-related behaviors. The awareness team does not have the responsibility -- and especially not the authority -- to account for all aspects of preventing and mitigating vulnerabilities. The awareness team should report to the HSO.

The HSO would be responsible for determining where human-related vulnerabilities exist and focus on a coordinated method for mitigating the vulnerabilities. This would involve an examination of underlying business processes and the determination of the best combination of technology operational processes that most effectively mitigate vulnerabilities. The HSO would then ensure that the awareness team focuses on ensuring that the awareness program primarily addresses how people should perform their jobs correctly.

While it would be good for a CISO to take on the role of an HSO, in any company of reasonable size, the CISO has a team of people to whom she can delegate responsibilities. Much like there are individuals reporting to the CISO responsible for network security, incident response, and governance, there should be an HSO specifically responsible for all aspects dealing with human-related vulnerabilities. The role should be treated distinctly and go well beyond the traditional awareness roles.

Related Content:

Ira Winkler is president of Secure Mentem and author of Advanced Persistent Security. View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
UdyRegan
50%
50%
UdyRegan,
User Rank: Apprentice
12/18/2018 | 2:20:35 AM
Humans over Robots.
I would personally always prefer somebody human attending to my needs. But of course, the way that the world is progressing these days, it seems like automation is the only way to go to keep costs down. We'll have to see. I don't think that they'll really be that much more effective given a human has to program the bots and automated systems to begin with...
NathanDavidson
50%
50%
NathanDavidson,
User Rank: Apprentice
12/11/2018 | 10:32:59 PM
Personal experience
I have heard a story from a family friend that there was a candidate applying for a similar role who was perfect for that position and was hired on the spot. It was because of the personal experience that he shared with the company which moved the hiring department to act right there and then so as not to lose him. He told them that he just got out of prison for hacking a company that happened to be the competitor of this hiring company. That's how it works I guess when it comes to the security sector. If you had done it before, it goes to show that you have some great skillsets.
Devastating Cyberattack on Email Provider Destroys 18 Years of Data
Jai Vijayan, Freelance writer,  2/12/2019
Up to 100,000 Reported Affected in Landmark White Data Breach
Kelly Sheridan, Staff Editor, Dark Reading,  2/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-8360
PUBLISHED: 2019-02-16
Themerig Find a Place CMS Directory 1.5 has SQL Injection via the find/assets/external/data_2.php cate parameter.
CVE-2019-8361
PUBLISHED: 2019-02-16
PHP Scripts Mall Responsive Video News Script has XSS via the Search Bar. This might, for example, be leveraged for HTML injection or URL redirection.
CVE-2019-8362
PUBLISHED: 2019-02-16
DedeCMS through V5.7SP2 allows arbitrary file upload in dede/album_edit.php or dede/album_add.php, as demonstrated by a dede/album_edit.php?dopost=save&formzip=1 request with a ZIP archive that contains a file such as "1.jpg.php" (because input validation only checks that .jpg, .png, o...
CVE-2019-8363
PUBLISHED: 2019-02-16
Verydows 2.0 has XSS via the index.php?c=main a parameter, as demonstrated by an a=index[XSS] value.
CVE-2019-8358
PUBLISHED: 2019-02-16
In Hiawatha before 10.8.4, a remote attacker is able to do directory traversal if AllowDotFiles is enabled.