Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

6/18/2015
11:00 AM
Theresa Payton
Theresa Payton
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
Google+
RSS
E-Mail vvv
100%
0%

Cybersecurity Advice From A Former White House CIO

Today's playbook demands 'human-centered' user education that assumes people will share passwords, forget them, and do unsafe things to get their jobs done.

I remember the exact moment when I changed how I design a security strategy to conform to the new reality of the modern threat landscape. It was my first day on the job as Chief Information Officer in the George W. Bush White House in 2006. Our office knew we had to appeal to the hearts and minds of the White House staff if we wanted to protect their privacy and security; if solving cybersecurity and privacy issues were as simple as following security best practices, we would all be safe.

Two key questions came to me during my first 90 days at the White House.  I had to answer them or we would have had a major calamity: Why, in spite of talented security teams and security investments, do breaches still happen? Why is it that despite hours and hours of boring computer-based training and security campaigns, we still make mistakes and click on links?

Apply these same questions to industry means taking incremental steps and viewing the problem of user education not as a technical or economic issue but as a human psyche issue. To make evolutionary change in cybersecurity we need to teach cybersecurity professionals to take human behaviors into account when developing cybersecurity strategies, then to incorporate that knowledge into the design and implementation of information systems, including the right incentives for positive behaviors.

The way we design security today, we have zero empathy.  What that means is that we need to design all applications to assume that users will do everything wrong. According to the cybersecurity playbook, people will share passwords, people will forget them, and they will do unsafe things to get their jobs done, such as use free, unsecure WiFi. Haven’t you?

Today, the banking industry is leading the way with this kind of human-centered design and asking systems to conform to the human -- and not the other way around. For starters, many banks will use your social security number to check your credit, but not as your customer identifier. If a hacker breaks in and steals your data, on many of the back-office banking systems, they will not steal your social security number. The banks have implemented online banking programs that assume that your device is infected, and have put into place free software that will help protect your computer while at the same time assist in providing a more secure transaction. 

Many of the banks led the way with authentication strategies. This became another added step on top of your user ID and password to provide you with better confidence. They may look at your computer's unique device ID. Or they may allow you to set up random security questions and answers. In some cases, they will text a code to your mobile phone. All of these are simple to use while adding another deterrent to cybercriminals.

We used a similar strategy at the White House. We knew breaches and incidents were inevitable, but we thought our best strategy was to segment data to save it. Instead of storing something -- such as the President's schedule -- in one place, we would segment the ownership across multiple teams, multiple systems, and disconnected networks. This practice requires a high level collaboration and finely tuned synchronization but the risk vs. reward is worth it. 

We also realized that the staff at the White House was busy and if we expected them to be security experts they could not focus on their job and we would fail at ours. That is why we focused on designing for the human. We assumed that long briefings and boring computer-based training programs were ineffective, and redesigned them to focus on key points to get better results. One example was to shorten our smartphone briefing to two key points: report your missing smartphone immediately so we could locate it, and tell us if you are going on foreign travel for fun or for White House business so we could provide safe and effective communications overseas. We provided that briefing accompanied with a fun package that had the smartphone, accessories, and White House branded items to make the session memorable and fun.

At the end of the day, if we keep the same security mindset, keep implementing the same security protocols, and institute them with more money at a faster rate, we are doomed to failure. It’s time to break the rules and try a different approach.  

In the wake of recent, debilitating cyber-attacks, Theresa Payton remains the cybersecurity expert companies turn to regarding efforts to strengthen cybersecurity measures. Named one of the top 25 Most Influential People in Security by Security Magazine, she is one of ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyonKnight
50%
50%
RyonKnight,
User Rank: Strategist
6/30/2015 | 4:17:09 AM
Re: Segemented data
Thanks for your reply Theresa.  I totally agree that this could be a sensible measure for a couple of critical assets.  I could see using it for private keys or highly sensitive proprietary information.  Still can't see a practical way of making it work for something that's going to be frequently accessed by a variety of users, like a schedule.  I'm not sure if you can give any more specifics due to the nature of the job and what you were protecting, but kudos for making it work.

Thanks again for the article and taking the time to reply.
JohnL228
50%
50%
JohnL228,
User Rank: Apprentice
6/29/2015 | 2:35:10 PM
Great Post Recognizing the Human
 I really like your premise of human factor failings in this post. This harkens back the human-centric design of Alan Cooper's "The Inmates are Running the Asylum." He used the creation of "personas" to help humanize the likely users in the design of software or other products. I suspect that a similar profiling will help to develop more elegant cybersecurity policies that anticipate the most likely human failings.  

 

theresap282
100%
0%
theresap282,
User Rank: Author
6/24/2015 | 9:40:15 AM
Re: Segemented data
Hi Ryon, thanks for asking your question!  In my humble opinion, you would do both.  Because safety measures for data such as encryption or two factor authentication are not 100% bullet proof solutions, you want to make sure you segment your data.  When that breach happens, they can only steal one piece and you slow them down from taking more of your information.  This is hard to do which is why I only recommend this for 1-2 of your most critical information assets.  Hope this a helpful explanation.  
RyonKnight
50%
50%
RyonKnight,
User Rank: Strategist
6/23/2015 | 7:43:45 AM
Segemented data
I'm unclear on what you're trying to get at with segmenting data like the President's schedule.  What is the benefit of having it segmented across multiple teams or systems?  How does this work in practice?  As you note, the amount of effort and synchronisation would be high.  There are lots of easier ways to secure data and restrict access than segmenting it all over the place.  You cite this as a "similar strategy" to how banks use 2 factor authentication, but this sounds like something quite different.  Grateful if you can clarify, thanks for the article.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Malware Attacks Declined But Became More Evasive in Q2
Jai Vijayan, Contributing Writer,  9/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15216
PUBLISHED: 2020-09-29
In goxmldsig (XML Digital Signatures implemented in pure Go) before version 1.1.0, with a carefully crafted XML file, an attacker can completely bypass signature validation and pass off an altered file as a signed one. A patch is available, all users of goxmldsig should upgrade to at least revisio...
CVE-2020-4607
PUBLISHED: 2020-09-29
IBM Security Secret Server (IBM Security Verify Privilege Vault Remote 1.2 ) could allow a local user to bypass security restrictions due to improper input validation. IBM X-Force ID: 184884.
CVE-2020-24565
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...
CVE-2020-25770
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...
CVE-2020-25771
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...