CyberSecurity: Ignorance Is Not An Excuse | A Live Experts Panel At RSAC | Recap

Moderator:

  • Sean Martin, CISSP, Editor in Chief, ITSPmagazine

Panelists:

  • Jeremiah Grossman, CSO of SentinelOne

  • Ian Glazer, Chairman, ID Professionals Working Group, Kantara Initiative

  • Uma Karmarkar, Decision Neuroscientist | Assistant Professor at Harvard Business School

  • Michael Landewe, Co-Founder of Avanan Cloud Security

OVERVIEW: We live in a society where we have to place warnings on cups that the coffee you’ve just knowingly purchased is hot, yet we hand out smartphones to kids like they’re candy without understanding the risks that these devices pose to our safety. A Black Hat survey showed that 28% of people felt that the weakest link in enterprise IT defenses was "end users who violate security policy and are too easily fooled by social engineering attacks.” Whether laziness, optimism or naiveté, it’s in our nature to trust – even when it puts us, our company or society in danger. This panel of experts discusses the role of trust in cybersecurity and our everyday lives and explores the question: Can humans be taught to make good decisions with security consequences given our desire to trust?

DISCUSSION HIGHLIGHTS: How do we make the individual aware of the risks involved and the choices available to them? Uma states that, when it comes to why we do some of the things we do, it’s not so much a question of trust, but of how much risk we perceive. And we often get mixed messages on navigating online security on a personal device: convenience versus security. Jeremiah adds that It’s hard for users to make security decisions every five seconds with very limited information, so they get “decision exhaustion.”

It’s very easy to place all the responsibility and blame on the user, on the “dumb human.” But, as Sean pointed out, if you have a vehicle that is controlled by an AI that has been tuned to always protect the driver, in the event of an accident, where does the liability fall? The car manufacturer? The embedded software? The driver? The pedestrian? Jeremiah thinks that the liability disclaimers on all software – which drives so much our belongings – should no longer be allowed.

Why would we trade so much security for access and convenience? At the end of the day, curiosity overrides much of our common sense, even for those who know better. The panel discusses whether it’s better if the government gets involved, at least in educating end users (like OnGuard Online), but Uma reminds us that education can be difficult because educated people still make errors. Although the blame tends to be put on the user, Jeremiah says that every time the user has to get involved in security, he counts that as a technological failure. Security versus usability is an ongoing struggle.

The bottom line is that the responsibility belongs to all of us. And education should start very young, much like public service campaigns for seat belts or not smoking or washing your hands, in order to build good habits early. Jeremiah teaches kids how to hack so that they know what and how and why. They feel smart and empowered.

A FEW NOTABLE QUOTES:

As the adversaries become more adept at fooling the humans, we as a security industry need to become a little more adept, a little more ‘artificially intelligent,’ at identifying those threats before it gets to the human. But, as we’re finding, the attackers are becoming better marketers.
— Michael Landewe
 

 
A lot of the time the risk [of online security] is not tangible. If you hand your credit card to someone physically, you understand that in a very concrete way. If you give some information [online], the ramifications of that, the degree to which it might spread, the degree to which it might be captured, isn’t immediately as tangible, obvious and understandable.
— Uma Karmarkar
 

 
What we’ve left out in the conversation is, here’s an average user, an average person – how do they know what the service is and is it trustworthy? The best thing we have right now is browser alerts for SSL certs. That’s making a sys-admin out of someone who is not prepared to do that, nor should they. So it’s a weird blame-shift game.
— Ian Glazer
 

 
The SSL alert is a great example of lack of liability...: why isn’t the web default encrypted? Because if Google or Firefox said ‘we’re just going to heart-fail anything that’s not SSL’, they would break a quarter of the web…and the browser vendors are concerned that people would abandon ship and they’d lose market share… And let’s not make any mistake – browser vendors are advertisers, they are all about eyeballs. They are not trustworthy.
— Jeremiah Grossman
 

 
If we rely on that end user for security, then we’ve failed as an industry.
— Michael Landewe


Watch the video of this panel discussion right here: CyberSecurity: Ignorance Is Not an Excuse | RSAC Live Panel and see some of the answers to questions asked offline.