Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

6/18/2015
11:00 AM
Theresa Payton
Theresa Payton
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
Google+
RSS
E-Mail vvv
100%
0%

Cybersecurity Advice From A Former White House CIO

Today's playbook demands 'human-centered' user education that assumes people will share passwords, forget them, and do unsafe things to get their jobs done.

I remember the exact moment when I changed how I design a security strategy to conform to the new reality of the modern threat landscape. It was my first day on the job as Chief Information Officer in the George W. Bush White House in 2006. Our office knew we had to appeal to the hearts and minds of the White House staff if we wanted to protect their privacy and security; if solving cybersecurity and privacy issues were as simple as following security best practices, we would all be safe.

Two key questions came to me during my first 90 days at the White House.  I had to answer them or we would have had a major calamity: Why, in spite of talented security teams and security investments, do breaches still happen? Why is it that despite hours and hours of boring computer-based training and security campaigns, we still make mistakes and click on links?

Apply these same questions to industry means taking incremental steps and viewing the problem of user education not as a technical or economic issue but as a human psyche issue. To make evolutionary change in cybersecurity we need to teach cybersecurity professionals to take human behaviors into account when developing cybersecurity strategies, then to incorporate that knowledge into the design and implementation of information systems, including the right incentives for positive behaviors.

The way we design security today, we have zero empathy.  What that means is that we need to design all applications to assume that users will do everything wrong. According to the cybersecurity playbook, people will share passwords, people will forget them, and they will do unsafe things to get their jobs done, such as use free, unsecure WiFi. Haven’t you?

Today, the banking industry is leading the way with this kind of human-centered design and asking systems to conform to the human -- and not the other way around. For starters, many banks will use your social security number to check your credit, but not as your customer identifier. If a hacker breaks in and steals your data, on many of the back-office banking systems, they will not steal your social security number. The banks have implemented online banking programs that assume that your device is infected, and have put into place free software that will help protect your computer while at the same time assist in providing a more secure transaction. 

Many of the banks led the way with authentication strategies. This became another added step on top of your user ID and password to provide you with better confidence. They may look at your computer's unique device ID. Or they may allow you to set up random security questions and answers. In some cases, they will text a code to your mobile phone. All of these are simple to use while adding another deterrent to cybercriminals.

We used a similar strategy at the White House. We knew breaches and incidents were inevitable, but we thought our best strategy was to segment data to save it. Instead of storing something -- such as the President's schedule -- in one place, we would segment the ownership across multiple teams, multiple systems, and disconnected networks. This practice requires a high level collaboration and finely tuned synchronization but the risk vs. reward is worth it. 

We also realized that the staff at the White House was busy and if we expected them to be security experts they could not focus on their job and we would fail at ours. That is why we focused on designing for the human. We assumed that long briefings and boring computer-based training programs were ineffective, and redesigned them to focus on key points to get better results. One example was to shorten our smartphone briefing to two key points: report your missing smartphone immediately so we could locate it, and tell us if you are going on foreign travel for fun or for White House business so we could provide safe and effective communications overseas. We provided that briefing accompanied with a fun package that had the smartphone, accessories, and White House branded items to make the session memorable and fun.

At the end of the day, if we keep the same security mindset, keep implementing the same security protocols, and institute them with more money at a faster rate, we are doomed to failure. It’s time to break the rules and try a different approach.  

In the wake of recent, debilitating cyber-attacks, Theresa Payton remains the cybersecurity expert companies turn to regarding efforts to strengthen cybersecurity measures. Named one of the top 25 Most Influential People in Security by Security Magazine, she is one of ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyonKnight
50%
50%
RyonKnight,
User Rank: Strategist
6/30/2015 | 4:17:09 AM
Re: Segemented data
Thanks for your reply Theresa.  I totally agree that this could be a sensible measure for a couple of critical assets.  I could see using it for private keys or highly sensitive proprietary information.  Still can't see a practical way of making it work for something that's going to be frequently accessed by a variety of users, like a schedule.  I'm not sure if you can give any more specifics due to the nature of the job and what you were protecting, but kudos for making it work.

Thanks again for the article and taking the time to reply.
JohnL228
50%
50%
JohnL228,
User Rank: Apprentice
6/29/2015 | 2:35:10 PM
Great Post Recognizing the Human
 I really like your premise of human factor failings in this post. This harkens back the human-centric design of Alan Cooper's "The Inmates are Running the Asylum." He used the creation of "personas" to help humanize the likely users in the design of software or other products. I suspect that a similar profiling will help to develop more elegant cybersecurity policies that anticipate the most likely human failings.  

 

theresap282
100%
0%
theresap282,
User Rank: Author
6/24/2015 | 9:40:15 AM
Re: Segemented data
Hi Ryon, thanks for asking your question!  In my humble opinion, you would do both.  Because safety measures for data such as encryption or two factor authentication are not 100% bullet proof solutions, you want to make sure you segment your data.  When that breach happens, they can only steal one piece and you slow them down from taking more of your information.  This is hard to do which is why I only recommend this for 1-2 of your most critical information assets.  Hope this a helpful explanation.  
RyonKnight
50%
50%
RyonKnight,
User Rank: Strategist
6/23/2015 | 7:43:45 AM
Segemented data
I'm unclear on what you're trying to get at with segmenting data like the President's schedule.  What is the benefit of having it segmented across multiple teams or systems?  How does this work in practice?  As you note, the amount of effort and synchronisation would be high.  There are lots of easier ways to secure data and restrict access than segmenting it all over the place.  You cite this as a "similar strategy" to how banks use 2 factor authentication, but this sounds like something quite different.  Grateful if you can clarify, thanks for the article.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15037
PUBLISHED: 2020-07-07
NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. The application allows an attacker to execute arbitrary JavaScript code via the Reports-Devices.php page st[] parameter.
CVE-2019-4323
PUBLISHED: 2020-07-07
"HCL AppScan Enterprise advisory API documentation is susceptible to clickjacking, which could allow an attacker to embed the contents of untrusted web pages in a frame."
CVE-2019-4324
PUBLISHED: 2020-07-07
"HCL AppScan Enterprise is susceptible to Cross-Site Scripting while importing a specially crafted test policy."
CVE-2020-15036
PUBLISHED: 2020-07-07
NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. The application allows an attacker to execute arbitrary JavaScript code via the Topology-Linked.php dv parameter.
CVE-2020-15577
PUBLISHED: 2020-07-07
An issue was discovered on Samsung mobile devices with P(9.0) and Q(10.0) software. Cameralyzer allows attackers to write files to the SD card. The Samsung ID is SVE-2020-16830 (July 2020).