[BreachExchange] As long as the workforce is human, IT security education will fall short

Audrey McNeil audrey at riskbasedsecurity.com
Fri May 5 18:11:17 EDT 2017


We recently made two big decisions. The first is that we decided to throw
out our traditional approach to endpoint security and go with one of the
newfangled behavior-based systems. The second involved facing up to the
limits -- OK, failure -- of IT security education programs.

To be honest, the first decision was pretty easy because the traditional
approach to endpoint security has always struck me as a little backward.
The traditional approach is based on signature identification. Some
nefarious person or group creates a new threat vector (sorry for slipping
into the language of my information security team) and releases it into the

The threat vector does some level of damage before a security sleuth
recognizes the threat's signature. The traditional endpoint security
vendors then work hard to find a way to thwart the new threat; they add
their mitigation to their libraries and we then automatically or manually
deploy the new library to block the threat. This cycle then repeats --
seemingly forever.

Behavior-based security

The newfangled way is to monitor what is happening on devices, networks and
servers and, based on behavior that we believe indicates some nefarious
action or risky activity, block the behavior. Assuming this behavior-based
security approach works, it makes sense to me. First, the behaviors are
common across different types of threat vectors. Second, I don't have to
worry about updating libraries or what might come into my life from an
un-updated device. Third, this approach works for a wide range of equipment
rather than just endpoint devices.

As part of our periodic review of systems, we had done some testing with
behavior-based security approaches and were happy with the results. So when
the existing contract for our traditional endpoint protection system
expired, we made the leap. Lest you think this leap was painless, we are
paying more now for protection than we did before -- but we are also
protecting a lot more of our environment than we did before. Also, the
behavior-based security systems find things that were previously hidden --
like something a software engineer is using or connecting to that is a bit
sketchy. But, those shadowy IT operations seem to be the exceptions, and we
can work those out now that we know about them. (In our case, the engineer
begged us to let him connect to the sketchy service -- we are still
deciding what to do about this one.) Time will tell whether we made a good
decision but so far, so good.

IT security education: 'Abandon hope'

The second decision we made was to completely and entirely give up on
humans. We had hoped that our IT security education programs -- training,
frequent reminders, case studies, tools like data loss prevention (DLP) and
begging -- would stop the people in our company from doing things like
clicking on a blatant phishing link, emailing a sensitive data file to a
customer or installing a thumb drive they found in the parking lot.

It turns out that my optimism about humans vis-à-vis IT security is badly
misplaced. Indeed, I have lost hope in humanity, or at least in the
efficacy of IT security education drills. When it comes to knowing and
doing the right thing to prevent security breaches, the odds are stacked
against us. The math is compelling. Suppose, for simplicity sake, there are
1,000 people in the company. What are the odds that one among us
thousand-strong will not get suckered into doing something we should not?
And, remember, all it takes is one.

So, how does my utter lack of faith in the human capacity to obtain an IT
security education actually pan out day-to-day? We now treat everyone with
suspicion. We assume that everyone is a bad actor and so lock down their
access. We tease them with phishing attempts that we generate (just to see
who will click that link). We don't let them use USB ports. We determine
which external services and applications they can access. We treat them for
what they are -- terrible persons who, if given the chance, will do
something to put themselves and the company at risk.

All right, perhaps I am exaggerating my attitude, but I have learned
through sad experience that people will make potentially life-altering
mistakes -- not because they have bad intentions but simply because they
are human. And since we are all human, no one is immune from being the one
who makes the life-altering mistake, including the mistake that ends up
putting a company at risk. Even I worry about getting caught when we send
out an internally generated phishing attempt. Why? I am the last person who
should be sent to the remediation training -- I am supposed to know what I
am doing, and yet. ...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170505/2edd375c/attachment.html>

More information about the BreachExchange mailing list